CVE-2025-55304

Publication date 29 August 2025

Last updated 10 July 2026


Ubuntu priority

Cvss 3 Severity Score

5.5 · Medium

Score breakdown

Description

Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. A denial-of-service was found in Exiv2 version 0.28.5: a quadratic algorithm in the ICC profile parsing code in jpegBase::readMetadata() can cause Exiv2 to run for a long time. The denial-of-service is triggered when Exiv2 is used to read the metadata of a crafted jpg image file. The bug is fixed in version 0.28.6.

Why is this CVE low priority?

Resource consumption issue that has been rated low by upstream developers

Learn more about Ubuntu priority

Status

Package Ubuntu Release Status
exiv2 26.04 LTS resolute
Vulnerable, work in progress
25.10 questing Ignored end of life, was ignored [changes too intrusive]
25.04 plucky Ignored end of life, was needs-triage
24.04 LTS noble Ignored changes too intrusive
22.04 LTS jammy Ignored changes too intrusive
20.04 LTS focal Ignored changes too intrusive
18.04 LTS bionic
Not affected
16.04 LTS xenial
Not affected

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
exiv2

Severity score breakdown

CVSS version:

Base score 1.8 · Low

Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Base score 5.5 · Medium

Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H


Access our resources on patching vulnerabilities