{"id":"USN-8103-1","summary":"exiv2 vulnerabilities","details":"It was discovered that Exiv2 did not correctly handle reading certain\nbuffers. An attacker could possibly use this issue to leak sensitive\ninformation. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04\nLTS. (CVE-2020-18771)\n\nWen Cheng discovered that Exiv2 did not correctly handle certain memory\nallocation. If a user or system were tricked into opening a specially\ncrafted file, an attacker could possibly use this issue to cause a denial\nof service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.\n(CVE-2020-18899)\n\nIt was discovered that Exiv2 did not correctly handle writing certain\nmetadata. If a user or system were tricked into opening a specially crafted\nfile, an attacker could possibly use this issue to cause a denial of\nservice. (CVE-2025-54080)\n\nIt was discovered that Exiv2 did not correctly handle parsing certain\nmetadata. If a user or system were tricked into opening a specially crafted\nfile, an attacker could possibly use this issue to cause a denial of\nservice. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS,\nUbuntu 24.04 LTS and Ubuntu 25.10. (CVE-2025-55304)\n\nIt was discovered that Exiv2 did not correctly handle parsing certain\nimages. If a user or system were tricked into opening a specially crafted\nfile, an attacker could possibly use this issue to cause a denial of\nservice. (CVE-2026-25884)\n\nIt was discovered that Exiv2 did not correctly handle previewing certain\nimages. An attacker could possibly use this issue to cause a denial of\nservice. (CVE-2026-27596)\n\nIt was discovered that Exiv2 did not correctly handle certain integer\narithmetic. An attacker could possibly use this issue to cause a denial of\nservice. (CVE-2026-27631)","modified":"2026-03-20T06:34:08.355061Z","published":"2026-03-18T02:55:39Z","related":["UBUNTU-CVE-2020-18771","UBUNTU-CVE-2020-18899","UBUNTU-CVE-2025-54080","UBUNTU-CVE-2025-55304","UBUNTU-CVE-2026-25884","UBUNTU-CVE-2026-27596","UBUNTU-CVE-2026-27631"],"upstream":["CVE-2020-18771","CVE-2020-18899","CVE-2025-54080","CVE-2025-55304","CVE-2026-25884","CVE-2026-27596","CVE-2026-27631","UBUNTU-CVE-2020-18771","UBUNTU-CVE-2020-18899","UBUNTU-CVE-2025-54080","UBUNTU-CVE-2025-55304","UBUNTU-CVE-2026-25884","UBUNTU-CVE-2026-27596","UBUNTU-CVE-2026-27631"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-8103-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2020-18771"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2020-18899"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-54080"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-55304"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-25884"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-27596"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-27631"}],"affected":[{"package":{"name":"exiv2","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/exiv2@0.25-2.1ubuntu16.04.7+esm5?arch=source&distro=esm-infra/xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.25-2.1ubuntu16.04.7+esm5"}]}],"versions":["0.25-1ubuntu1","0.25-2.1","0.25-2.1ubuntu16.04.1","0.25-2.1ubuntu16.04.2","0.25-2.1ubuntu16.04.3","0.25-2.1ubuntu16.04.4","0.25-2.1ubuntu16.04.5","0.25-2.1ubuntu16.04.6","0.25-2.1ubuntu16.04.7+esm1","0.25-2.1ubuntu16.04.7+esm2","0.25-2.1ubuntu16.04.7+esm3","0.25-2.1ubuntu16.04.7+esm4"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro","binaries":[{"binary_name":"exiv2","binary_version":"0.25-2.1ubuntu16.04.7+esm5"},{"binary_name":"libexiv2-14","binary_version":"0.25-2.1ubuntu16.04.7+esm5"},{"binary_name":"libexiv2-dev","binary_version":"0.25-2.1ubuntu16.04.7+esm5"}]},"database_specific":{"cves_map":{"cves":[{"id":"CVE-2020-18771","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H","type":"CVSS_V3"},{"score":"low","type":"Ubuntu"}]},{"id":"CVE-2020-18899","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"low","type":"Ubuntu"}]},{"id":"CVE-2025-54080","severity":[{"score":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N","type":"CVSS_V4"},{"score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"low","type":"Ubuntu"}]},{"id":"CVE-2026-25884","severity":[{"score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U","type":"CVSS_V4"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2026-27596","severity":[{"score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U","type":"CVSS_V4"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2026-27631","severity":[{"score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U","type":"CVSS_V4"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]}],"ecosystem":"Ubuntu:Pro:16.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8103-1.json"}},{"package":{"name":"exiv2","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/exiv2@0.25-3.1ubuntu0.18.04.11+esm1?arch=source&distro=esm-infra/bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.25-3.1ubuntu0.18.04.11+esm1"}]}],"versions":["0.25-3.1","0.25-3.1ubuntu0.18.04.1","0.25-3.1ubuntu0.18.04.2","0.25-3.1ubuntu0.18.04.3","0.25-3.1ubuntu0.18.04.4","0.25-3.1ubuntu0.18.04.5","0.25-3.1ubuntu0.18.04.7","0.25-3.1ubuntu0.18.04.9","0.25-3.1ubuntu0.18.04.10","0.25-3.1ubuntu0.18.04.11"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro","binaries":[{"binary_name":"exiv2","binary_version":"0.25-3.1ubuntu0.18.04.11+esm1"},{"binary_name":"libexiv2-14","binary_version":"0.25-3.1ubuntu0.18.04.11+esm1"},{"binary_name":"libexiv2-dev","binary_version":"0.25-3.1ubuntu0.18.04.11+esm1"}]},"database_specific":{"cves_map":{"cves":[{"id":"CVE-2020-18771","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H","type":"CVSS_V3"},{"score":"low","type":"Ubuntu"}]},{"id":"CVE-2020-18899","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"low","type":"Ubuntu"}]},{"id":"CVE-2025-54080","severity":[{"score":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N","type":"CVSS_V4"},{"score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"low","type":"Ubuntu"}]},{"id":"CVE-2026-25884","severity":[{"score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U","type":"CVSS_V4"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2026-27596","severity":[{"score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U","type":"CVSS_V4"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2026-27631","severity":[{"score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U","type":"CVSS_V4"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]}],"ecosystem":"Ubuntu:Pro:18.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8103-1.json"}},{"package":{"name":"exiv2","ecosystem":"Ubuntu:Pro:20.04:LTS","purl":"pkg:deb/ubuntu/exiv2@0.27.2-8ubuntu2.7+esm1?arch=source&distro=esm-infra/focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.27.2-8ubuntu2.7+esm1"}]}],"versions":["0.25-4ubuntu2","0.25-4ubuntu3","0.27.2-8ubuntu2","0.27.2-8ubuntu2.2","0.27.2-8ubuntu2.4","0.27.2-8ubuntu2.5","0.27.2-8ubuntu2.6","0.27.2-8ubuntu2.7"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro","binaries":[{"binary_name":"exiv2","binary_version":"0.27.2-8ubuntu2.7+esm1"},{"binary_name":"libexiv2-27","binary_version":"0.27.2-8ubuntu2.7+esm1"},{"binary_name":"libexiv2-dev","binary_version":"0.27.2-8ubuntu2.7+esm1"}]},"database_specific":{"cves_map":{"cves":[{"id":"CVE-2025-54080","severity":[{"score":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N","type":"CVSS_V4"},{"score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"low","type":"Ubuntu"}]},{"id":"CVE-2026-25884","severity":[{"score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U","type":"CVSS_V4"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2026-27596","severity":[{"score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U","type":"CVSS_V4"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2026-27631","severity":[{"score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U","type":"CVSS_V4"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]}],"ecosystem":"Ubuntu:Pro:20.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8103-1.json"}},{"package":{"name":"exiv2","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/exiv2@0.27.5-3ubuntu1.1?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.27.5-3ubuntu1.1"}]}],"versions":["0.27.3-3ubuntu4","0.27.3-3.1ubuntu1","0.27.5-1ubuntu1","0.27.5-3ubuntu1"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_name":"exiv2","binary_version":"0.27.5-3ubuntu1.1"},{"binary_name":"libexiv2-27","binary_version":"0.27.5-3ubuntu1.1"},{"binary_name":"libexiv2-dev","binary_version":"0.27.5-3ubuntu1.1"}]},"database_specific":{"cves_map":{"cves":[{"id":"CVE-2025-54080","severity":[{"score":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N","type":"CVSS_V4"},{"score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"low","type":"Ubuntu"}]},{"id":"CVE-2026-25884","severity":[{"score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U","type":"CVSS_V4"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2026-27596","severity":[{"score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U","type":"CVSS_V4"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2026-27631","severity":[{"score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U","type":"CVSS_V4"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]}],"ecosystem":"Ubuntu:22.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8103-1.json"}},{"package":{"name":"exiv2","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/exiv2@0.27.6-1ubuntu0.1?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.27.6-1ubuntu0.1"}]}],"versions":["0.27.6-1","0.27.6-1build1"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_name":"exiv2","binary_version":"0.27.6-1ubuntu0.1"},{"binary_name":"libexiv2-27","binary_version":"0.27.6-1ubuntu0.1"},{"binary_name":"libexiv2-dev","binary_version":"0.27.6-1ubuntu0.1"}]},"database_specific":{"cves_map":{"cves":[{"id":"CVE-2025-54080","severity":[{"score":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N","type":"CVSS_V4"},{"score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"low","type":"Ubuntu"}]},{"id":"CVE-2026-25884","severity":[{"score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U","type":"CVSS_V4"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2026-27596","severity":[{"score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U","type":"CVSS_V4"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2026-27631","severity":[{"score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U","type":"CVSS_V4"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]}],"ecosystem":"Ubuntu:24.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8103-1.json"}},{"package":{"name":"exiv2","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/exiv2@0.28.5+dfsg-1ubuntu0.1?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.28.5+dfsg-1ubuntu0.1"}]}],"versions":["0.28.5+dfsg-1"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_name":"exiv2","binary_version":"0.28.5+dfsg-1ubuntu0.1"},{"binary_name":"libexiv2-28","binary_version":"0.28.5+dfsg-1ubuntu0.1"},{"binary_name":"libexiv2-data","binary_version":"0.28.5+dfsg-1ubuntu0.1"},{"binary_name":"libexiv2-dev","binary_version":"0.28.5+dfsg-1ubuntu0.1"}]},"database_specific":{"cves_map":{"cves":[{"id":"CVE-2025-54080","severity":[{"score":"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N","type":"CVSS_V4"},{"score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"low","type":"Ubuntu"}]},{"id":"CVE-2026-25884","severity":[{"score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U","type":"CVSS_V4"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2026-27596","severity":[{"score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U","type":"CVSS_V4"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2026-27631","severity":[{"score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U","type":"CVSS_V4"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]}],"ecosystem":"Ubuntu:25.10"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8103-1.json"}}],"schema_version":"1.7.5"}