CVE-2021-37618

Publication date 9 August 2021

Last updated 25 August 2025

Ubuntu priority

Cvss 3 Severity Score

Description

Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An out-of-bounds read was found in Exiv2 versions v0.27.4 and earlier. The out-of-bounds read is triggered when Exiv2 is used to print the metadata of a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when printing the image ICC profile, which is a less frequently used Exiv2 operation that requires an extra command line option (`-p C`). The bug is fixed in version v0.27.5.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
exiv2	22.04 LTS jammy	Fixed 0.27.3-3ubuntu4
	21.10 impish	Fixed 0.27.3-3ubuntu4
	21.04 hirsute	Fixed 0.27.3-3ubuntu1.5
	20.04 LTS focal	Fixed 0.27.2-8ubuntu2.6
	18.04 LTS bionic	Not affected
	16.04 LTS xenial	Not affected
	14.04 LTS trusty	Not in release

Notes

leosilva

bionic, xenial not affected, code not present.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
exiv2	Upstream: https://github.com/Exiv2/exiv2/pull/1759/commits/f13ebca839e55d0c7ea1c7f57ae667c47fe9c0d5 Upstream: https://github.com/Exiv2/exiv2/pull/1759/commits/dbf472751fc8b87ea7d1de02f54eaf64233a2fb6

Severity score breakdown

Parameter	Value
Base score	5.5 · Medium
Attack vector	Local
Attack complexity	Low
Privileges required	None
User interaction	Required
Scope	Unchanged
Confidentiality	None
Integrity impact	None
Availability impact	High
Vector	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References

Related Ubuntu Security Notices (USN)

USN-5043-1
Exiv2 vulnerabilities
17 August 2021