CVE-2026-40386

NameCVE-2026-40386
DescriptionIn libexif through 0.6.25, an integer underflow in size checking for Fuji and Olympus MakerNote decoding could be used by attackers to crash or leak information out of libexif-using programs.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libexif (PTS)bullseye0.6.22-3vulnerable
bookworm0.6.24-1vulnerable
trixie0.6.25-1vulnerable
sid, forky0.6.25-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libexifsource(unstable)(unfixed)

Notes

Fixed by: https://github.com/libexif/libexif/commit/dc6eac6e9655d14d0779d99e82d0f5f442d2f34b
Search for package or bug name: Reporting problems