CVE-2026-3102: ExifTool Vulnerability on macOS Allows Arbitrary Command Execution via Image Metadata
A critical command injection vulnerability in ExifTool versions 13.49 and earlier on macOS allows attackers to execute arbitrary commands by embedding malicious metadata in image files.
Kaspersky's Global Research and Analysis Team (GReAT) has disclosed a critical vulnerability in ExifTool, a widely used utility for reading and writing metadata in image, PDF, audio, and video files. Tracked as CVE-2026-3102, the flaw affects ExifTool versions 13.49 and earlier on macOS and allows arbitrary command execution via unsanitized date values in image metadata. The vulnerability was discovered in February 2026 and patched by the developers within the same month.
The vulnerability resides in the `SetMacOSTags` function, which processes file creation dates on macOS using the Spotlight system attribute `MDItemFSCreationDate`. When ExifTool is invoked with the `-n` flag (which outputs machine-readable data without additional processing), the tool iterates through discovered tags. If a tag matches `MDItemFSCreationDate` or its internal alias `$FileCreateDate`, the tag's content is passed to the `SetMacOSTags` function without proper sanitization. An attacker can inject shell commands into the date field, which then reaches the `system()` sink, leading to arbitrary command execution.
To exploit the vulnerability, an attacker must use the `-tagsFromFile` feature to copy a malicious date value from a source tag (e.g., `DateTimeOriginal`) into the `FileCreateDate` field. Direct assignment to `FileCreateDate` is heavily validated, but copying via `-tagsFromFile` bypasses these checks and triggers the vulnerable code path. The attacker can prepare an image file with a crafted `DateTimeOriginal` tag containing shell commands, then use ExifTool to copy that value into `FileCreateDate`, resulting in command execution with the privileges of the user running ExifTool.
Successful exploitation could lead to full system compromise, as the attacker can execute arbitrary shell commands. The vulnerability is particularly concerning because ExifTool is widely used by photographers, digital forensics experts, and system administrators for batch processing of media files. The attack requires user interaction—the victim must run ExifTool on a malicious image—but the ease of delivery via email or web downloads makes it a credible threat.
Kaspersky researchers discovered CVE-2026-3102 while auditing adjacent input validation routines in the ExifTool codebase, following a similar n-day vulnerability (CVE-2021-22204) that exploited weak regex-based sanitization before an eval sink. The developers released a patch in February 2026, and users are strongly advised to update to ExifTool version 13.50 or later. No active exploitation in the wild has been reported as of the publication date.
This vulnerability highlights the risks of unsanitized user input reaching system-level functions in widely used utilities. As metadata manipulation becomes more common in digital forensics and media management, developers must ensure that all user-controlled data is properly validated before being passed to dangerous sinks like `system()` or `eval()`.