CVE-2025-55304
Publication date 29 August 2025
Last updated 10 July 2026
Ubuntu priority
Cvss 3 Severity Score
Description
Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. A denial-of-service was found in Exiv2 version 0.28.5: a quadratic algorithm in the ICC profile parsing code in jpegBase::readMetadata() can cause Exiv2 to run for a long time. The denial-of-service is triggered when Exiv2 is used to read the metadata of a crafted jpg image file. The bug is fixed in version 0.28.6.
Why is this CVE low priority?
Resource consumption issue that has been rated low by upstream developers
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| exiv2 | 26.04 LTS resolute |
Vulnerable, work in progress
|
| 24.04 LTS noble | Ignored changes too intrusive | |
| 22.04 LTS jammy | Ignored changes too intrusive | |
| 20.04 LTS focal | Ignored changes too intrusive | |
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
Severity score breakdown
CVSS version:
Base score
1.8 · Low
Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Base score
5.5 · Medium
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
References
Related Ubuntu Security Notices (USN)
- USN-8103-1
- Exiv2 vulnerabilities
- 18 March 2026
- USN-8103-2
- Exiv2 regression
- 19 March 2026