| Package | libexif |
|---|---|
| Version | 0.6.21-2+deb9u6 (stretch), 0.6.21-5.1+deb10u6 (buster) |
| Related CVEs | CVE-2026-32775 CVE-2026-40385 CVE-2026-40386 |
Three security vulnerabilities were discovered in libexif, a library to reads and writes EXIF metainformation from and to images files, that can causes crashes or information leaks.
CVE-2026-32775
If the exif_mnote_data_get_value function in MakerNotes gets passed
in a 0 size, the passed in-buffer would be overwritten due to an
integer underflow.
CVE-2026-40385
An unsigned 32bit integer overflow in Nikon MakerNote handling could
be used by local attackers to cause crashes or information leaks.
CVE-2026-40386
An integer underflow in size checking for Fuji and Olympus MakerNote
decoding could be used by attackers to crash or leak information out
of libexif-using programs.
For Debian 10 buster, these problems have been fixed in version 0.6.21-5.1+deb10u6.
For Debian 9 stretch, these problems have been fixed in version 0.6.21-2+deb9u6.
We recommend that you upgrade your libexif packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.