CVE-2018-7730
Description
Heap-based buffer over-read in Exempi <=2.4.4 via mishandled 0xffffffff length in PSIR_FileWriter.cpp leads to memory disclosure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Heap-based buffer over-read in Exempi <=2.4.4 via mishandled 0xffffffff length in PSIR_FileWriter.cpp leads to memory disclosure.
Vulnerability
Exempi through version 2.4.4 contains a heap-based buffer over-read vulnerability in the PSD_MetaHandler::CacheFileData() function, triggered when XMPFiles/source/FormatSupport/PSIR_FileWriter.cpp mishandles a length value of 0xffffffff [1][2]. This can occur when processing a crafted Adobe Photoshop PSD or similar file containing a malformed Image Resource Block (IRB) or Photoshop Image Resources (PSIR) data. The affected versions include all releases up to and including 2.4.4.
Exploitation
An attacker can exploit this issue by supplying a specially crafted file that, when parsed by an application using Exempi (such as a thumbnailer or metadata extractor), triggers the vulnerable code path. No authentication or special privileges are required; the attack vector is local or remotely via file download. The mishandling of the 0xffffffff length leads to a heap buffer over-read, potentially exposing sensitive heap memory contents.
Impact
A successful exploit can result in a heap-based buffer over-read, which may lead to information disclosure (confidentiality impact) by leaking heap data, or cause a crash (availability impact). The CVSS v3 score is 6.5 (Medium) [1], indicating a moderate severity with high attack complexity but no privileges required. There is no evidence of code execution or privilege escalation.
Mitigation
Red Hat released an update in RHSA-2019:2048 (2019-08-06) for Red Hat Enterprise Linux 7 [1]. Fedora and other distributions have also provided fixed versions; users should upgrade to a patched release (e.g., exempi-2.5.0 or later) when available. No workaround is documented; the only mitigation is to apply the vendor-supplied patch.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
9- osv-coords8 versionspkg:rpm/opensuse/exempi&distro=openSUSE%20Tumbleweedpkg:rpm/suse/exempi&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3pkg:rpm/suse/exempi&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4pkg:rpm/suse/exempi&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/exempi&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4pkg:rpm/suse/exempi&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/exempi&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2011%20SP4pkg:rpm/suse/exempi&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3
< 2.5.2-1.3+ 7 more
- (no CPE)range: < 2.5.2-1.3
- (no CPE)range: < 2.2.1-5.7.1
- (no CPE)range: < 2.0.2-4.5.1
- (no CPE)range: < 2.2.1-5.7.1
- (no CPE)range: < 2.0.2-4.5.1
- (no CPE)range: < 2.2.1-5.7.1
- (no CPE)range: < 2.0.2-4.5.1
- (no CPE)range: < 2.2.1-5.7.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"A 0xffffffff length value is mishandled in the PSD_MetaHandler::CacheFileData function, leading to a heap-based buffer over-read."
Attack vector
An attacker can trigger this vulnerability by providing a crafted XLS file to the Exempi library. The mishandling of a specific length value during file processing causes the buffer over-read. This vulnerability is described as allowing for denial of service via a crafted XLS file [ref_id=1].
Affected code
The vulnerability resides in the PSD_MetaHandler::CacheFileData function, located in the file XMPFiles/source/FormatSupport/PSIR_FileWriter.cpp. This function is responsible for handling file data caching and is where the improper length handling occurs [ref_id=1].
What the fix does
The advisory indicates that an update for Exempi is available to address this issue. The specific fix involves correcting how the 0xffffffff length is handled within the PSD_MetaHandler::CacheFileData function in PSIR_FileWriter.cpp. This correction prevents the heap-based buffer over-read, thereby mitigating the denial of service risk [ref_id=1].
Preconditions
- inputThe attacker must provide a crafted XLS file.
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- access.redhat.com/errata/RHSA-2019:2048mitrevendor-advisoryx_refsource_REDHAT
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BCFXKOOATZ2B5G3G7EBXZWVZHEABN4ZV/mitrevendor-advisoryx_refsource_FEDORA
- usn.ubuntu.com/3668-1/mitrevendor-advisoryx_refsource_UBUNTU
- bugs.freedesktop.org/show_bug.cgimitrex_refsource_MISC
- cgit.freedesktop.org/exempi/commit/mitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2018/03/msg00013.htmlmitremailing-listx_refsource_MLIST
News mentions
0No linked articles in our index yet.