## This update for exiv2 fixes the following issues: Update to exiv2 0.28.8: * CVE-2024-24826: out-of-bounds read in QuickTimeVideo: NikonTagsDecoder (bsc#1219870). * CVE-2024-25112: denial of service due to unbounded recursion in QuickTimeVideo: multipleEntriesDecoder (bsc#1219871). * CVE-2024-39695: out-of-bounds read in AsfVideo: streamProperties (bsc#1227528). * CVE-2025-26623: heap buffer overflow via writing metadata into a crafted image file (bsc#1237347). * CVE-2025-54080: out-of-bounds read in `Exiv2: EpsImage: writeMetadata()` when writing metadata into a crafted image file (bsc#1248962). * CVE-2025-55304: quadratic performance algorithm in the ICC profile parsing code of `JpegBase: readMetadata` (bsc#1248963).
* bsc#1219870
* bsc#1219871
* bsc#1227528
* bsc#1237347
* bsc#1248962
* bsc#1248963
* bsc#1259083
* bsc#1259084
* bsc#1259085
Cross-
* CVE-2024-24826
* CVE-2024-25112
* CVE-2024-39695
* CVE-2025-26623
* CVE-2025-54080
* CVE-2025-55304
* CVE-2026-25884
* CVE-2026-27596
* CVE-2026-27631
CVSS scores:
* CVE-2024-24826 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
* CVE-2024-24826 ( NVD ): 5.0 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
* CVE-2024-24826 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2024-25112 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-25112 ( NVD ): 5.0 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
* CVE-2024-25112 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Get the latest Linux and open source security news straight to your inbox.