Unrated severityNVD Advisory· Published Mar 2, 2026· Updated Mar 2, 2026

Exiv2: Uncaught exception - cannot create std::vector larger than max_size()

CVE-2026-27631

Description

Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. Prior to version 0.28.8, an uncaught exception was found in Exiv2. The vulnerability is in the preview component, which is only triggered when running Exiv2 with an extra command line argument, like -pp. Due to an integer overflow, the code attempts to create a huge std::vector, which causes Exiv2 to crash with an uncaught exception. This issue has been patched in version 0.28.8.

Affected products

Exiv2/Exiv2v5
Range: < 0.28.8

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/Exiv2/exiv2/commit/659db316eef745899a778a1e0b760a971d1b69dfmitrex_refsource_MISC
github.com/Exiv2/exiv2/issues/3513mitrex_refsource_MISC
github.com/Exiv2/exiv2/pull/3514mitrex_refsource_MISC
github.com/Exiv2/exiv2/security/advisories/GHSA-p2pw-7935-c73jmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000