CVE-2026-32775
Integer Underflow in libexif MakerNotes Causes Buffer Overwrite
Publication date: 2026-03-16
Last updated on: 2026-04-21
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| libexif_project | libexif | to 0.6.25 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-191 | The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32775 is a vulnerability in the libexif library related to improper handling of the maxlen parameter in functions that retrieve metadata values from camera MakerNotes. Specifically, if the maxlen parameter is zero, the code decrements it without validation, causing an integer underflow. This underflow results in maxlen wrapping to a very large value, leading to buffer overflow when memory operations use this incorrect length.
The flaw affects multiple functions for different camera manufacturers (Apple, Canon, Fuji, Olympus, Pentax) where the maxlen parameter is not checked to be at least 1 before use. This can cause the passed-in buffer to be overwritten due to the underflow.
The issue was fixed by adding explicit checks to ensure maxlen is at least 1 before proceeding, returning NULL otherwise, preventing the underflow and subsequent buffer overflow.
How can this vulnerability impact me? :
This vulnerability can lead to a heap-based buffer overflow when processing specially crafted JPEG images containing malicious MakerNote EXIF metadata. An attacker could exploit this to cause application crashes or potentially execute arbitrary code depending on the heap layout.
Because the flaw involves memory corruption, it poses a high severity risk, potentially compromising the security and stability of applications using the vulnerable libexif versions.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by analyzing the handling of the maxlen parameter in libexif functions that process MakerNote EXIF metadata, especially for Pentax, Apple, Canon, Fuji, Olympus, and Pentax camera manufacturers.
Detection can involve checking for crashes or abnormal behavior when processing JPEG images with crafted MakerNote metadata.
Static analysis tools or AddressSanitizer (ASAN) can be used to identify the integer underflow and buffer overflow issues in the vulnerable functions.
Specific commands are not provided in the resources, but you can use tools like:
- Static code analyzers (e.g., clang static analyzer, Coverity) to scan libexif source code for improper maxlen handling.
- AddressSanitizer (ASAN) to run applications using libexif and detect memory corruption or crashes triggered by crafted JPEG files.
- Fuzz testing tools to feed malformed JPEG images with crafted MakerNote data to applications using libexif and monitor for crashes.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves updating libexif to a version that includes the patch fixing the integer underflow in the maxlen parameter handling.
The patch adds explicit checks in the affected functions to ensure maxlen is at least 1 before proceeding, returning NULL otherwise, preventing underflow and buffer overflow.
If updating is not immediately possible, avoid processing untrusted or malicious JPEG images containing MakerNote metadata from Pentax, Apple, Canon, Fuji, Olympus, or Pentax cameras.
Additionally, consider applying runtime protections such as sandboxing or running image processing in isolated environments to limit potential impact.