ALAS2023-2026-1480

Amazon Linux 2023 Security Advisory: ALAS2023-2026-1480
Advisory Released Date: 2026-03-25
Advisory Updated Date: 2026-03-25
Severity: Important
Issue Overview:

Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. Prior to version 0.28.8, an out-of-bounds read was found. The vulnerability is in the CRW image parser. This issue has been patched in version 0.28.8. (CVE-2026-25884)

Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. Prior to version 0.28.8, an out-of-bounds read was found in Exiv2. The vulnerability is in the preview component, which is only triggered when running Exiv2 with an extra command line argument, like -pp. The out-of-bounds read is at a 4GB offset, which usually causes Exiv2 to crash. This issue has been patched in version 0.28.8. (CVE-2026-27596)

Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. Prior to version 0.28.8, an uncaught exception was found in Exiv2. The vulnerability is in the preview component, which is only triggered when running Exiv2 with an extra command line argument, like -pp. Due to an integer overflow, the code attempts to create a huge std::vector, which causes Exiv2 to crash with an uncaught exception. This issue has been patched in version 0.28.8. (CVE-2026-27631)


Affected Packages:

exiv2


Issue Correction:
Run dnf update exiv2 --releasever 2023.10.20260316 or dnf update --advisory ALAS2023-2026-1480 --releasever 2023.10.20260316 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:
aarch64:
    exiv2-libs-debuginfo-0.28.5-132.amzn2023.aarch64
    exiv2-debuginfo-0.28.5-132.amzn2023.aarch64
    exiv2-debugsource-0.28.5-132.amzn2023.aarch64
    exiv2-libs-0.28.5-132.amzn2023.aarch64
    exiv2-devel-0.28.5-132.amzn2023.aarch64
    exiv2-0.28.5-132.amzn2023.aarch64

noarch:
    exiv2-doc-0.28.5-132.amzn2023.noarch

src:
    exiv2-0.28.5-132.amzn2023.src

x86_64:
    exiv2-libs-debuginfo-0.28.5-132.amzn2023.x86_64
    exiv2-debuginfo-0.28.5-132.amzn2023.x86_64
    exiv2-0.28.5-132.amzn2023.x86_64
    exiv2-debugsource-0.28.5-132.amzn2023.x86_64
    exiv2-devel-0.28.5-132.amzn2023.x86_64
    exiv2-libs-0.28.5-132.amzn2023.x86_64

Additional References

Release Notes:  Amazon Linux 2023 Release Notes

Red Hat: CVE-2026-25884, CVE-2026-27596, CVE-2026-27631

Mitre: CVE-2026-25884, CVE-2026-27596, CVE-2026-27631