ALAS2-2026-3201

Amazon Linux 2 Security Advisory: ALAS2-2026-3201
Advisory Released Date: 2026-03-19
Advisory Updated Date: 2026-03-19
Severity: Important
Issue Overview:

Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. Prior to version 0.28.8, an out-of-bounds read was found. The vulnerability is in the CRW image parser. This issue has been patched in version 0.28.8. (CVE-2026-25884)

Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. Prior to version 0.28.8, an out-of-bounds read was found in Exiv2. The vulnerability is in the preview component, which is only triggered when running Exiv2 with an extra command line argument, like -pp. The out-of-bounds read is at a 4GB offset, which usually causes Exiv2 to crash. This issue has been patched in version 0.28.8. (CVE-2026-27596)

Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. Prior to version 0.28.8, an uncaught exception was found in Exiv2. The vulnerability is in the preview component, which is only triggered when running Exiv2 with an extra command line argument, like -pp. Due to an integer overflow, the code attempts to create a huge std::vector, which causes Exiv2 to crash with an uncaught exception. This issue has been patched in version 0.28.8. (CVE-2026-27631)


Affected Packages:

exiv2


Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.


Issue Correction:
Run yum update exiv2 or yum update --advisory ALAS2-2026-3201 to update your system.

New Packages:
aarch64:
    exiv2-0.27.0-4.amzn2.0.7.aarch64
    exiv2-devel-0.27.0-4.amzn2.0.7.aarch64
    exiv2-libs-0.27.0-4.amzn2.0.7.aarch64
    exiv2-debuginfo-0.27.0-4.amzn2.0.7.aarch64

i686:
    exiv2-0.27.0-4.amzn2.0.7.i686
    exiv2-devel-0.27.0-4.amzn2.0.7.i686
    exiv2-libs-0.27.0-4.amzn2.0.7.i686
    exiv2-debuginfo-0.27.0-4.amzn2.0.7.i686

noarch:
    exiv2-doc-0.27.0-4.amzn2.0.7.noarch

src:
    exiv2-0.27.0-4.amzn2.0.7.src

x86_64:
    exiv2-0.27.0-4.amzn2.0.7.x86_64
    exiv2-devel-0.27.0-4.amzn2.0.7.x86_64
    exiv2-libs-0.27.0-4.amzn2.0.7.x86_64
    exiv2-debuginfo-0.27.0-4.amzn2.0.7.x86_64

Additional References

Release Notes:  Amazon Linux 2 Release Notes

Red Hat: CVE-2026-25884, CVE-2026-27596, CVE-2026-27631

Mitre: CVE-2026-25884, CVE-2026-27596, CVE-2026-27631