CVE-2026-32775: libexif through 0.6.25 has a flaw in decoding MakerNotes. If the exif_mnote_data_get_value function gets passed in a 0 size, the passed in-buffer would be overwritten due to an integer underflow.
Overview
- Severity
- High (CVSS 7.4)
- CVSS Vector
- CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- Exploit Status
- Not Exploited
- Patch Tuesday
- 2026-Mar
- Released
- 2026-03-17
- Last Updated
- 2026-03-31
- EPSS Score
- 0.19% (percentile: 9.1%)
Affected Products (3)
Open Source Software
- azl3 libexif 0.6.24-1 on Azure Linux 3.0
- cbl2 libexif 0.6.24-1 on CBL Mariner 2.0
- cbl2 libexif 0.6.24-2 on CBL Mariner 2.0
Revision History
- 2026-03-17: Information published.
- 2026-03-18: Information published.
- 2026-03-19: Information published.
- 2026-03-21: Information published.
- 2026-03-31: Information published.