CVE-2026-40386
Description
Moderate: libexif security update
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
Description libexif: libexif: Denial of Service and information disclosure via integer underflow in MakerNote decoding Red Hat statement Moderate impact. An integer underflow in libexif's Fuji and Olympus MakerNote decoding could allow an attacker to cause a denial of service or information disclosure. This vulnerability affects programs that process specially crafted image files utilizingβ¦
Description
libexif: libexif: Denial of Service and information disclosure via integer underflow in MakerNote decoding
Red Hat statement
Moderate impact. An integer underflow in libexif's Fuji and Olympus MakerNote decoding could allow an attacker to cause a denial of service or information disclosure. This vulnerability affects programs that process specially crafted image files utilizing libexif.
CVSS v3: 4.0 (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L)
Errata / fixed releases
| Product | Package | Advisory | Released |
|---|---|---|---|
| Red Hat Enterprise Linux 8 | libexif-0:0.6.22-6.el8_10 | RHSA-2026:20929 | 2026-05-26T00:00:00Z |
Package state
| Product | Package | State |
|---|---|---|
| Red Hat Enterprise Linux 10 | libexif | Affected |
| Red Hat Enterprise Linux 6 | libexif | Out of support scope |
| Red Hat Enterprise Linux 7 | libexif | Affected |
| Red Hat Enterprise Linux 9 | libexif | Affected |
Apply commands
yum update -y libexif
# or:
dnf upgrade -y libexifAffected
| Vendor | Product | Version |
|---|---|---|
| redhat | Red Hat Enterprise Linux 10 | Affected |
| redhat | Red Hat Enterprise Linux 7 | Affected |
| redhat | Red Hat Enterprise Linux 9 | Affected |
OS impact
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| β | Affected | β |
AlmaLinux Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | libexif-0.6.22-6.el9_8.1.i686.rpm |
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 0.6.25-1+deb13u1 |
| sid | Fixed | 0.6.26-1 |
| forky | Fixed | 0.6.26-1 |
| bullseye | Fixed | 0.6.22-3+deb11u1 |
| bookworm | Fixed | 0.6.24-1+deb12u1 |
Red Hat Fixed 2 releases
| Version | Status | Fixed in |
|---|---|---|
| 9 | Fixed | β |
| 8 | Fixed | β |
References
- https://security-tracker.debian.org/tracker/CVE-2026-40386
- https://www.suse.com/security/cve/CVE-2026-40386.html
- https://access.redhat.com/errata/RHSA-2026:20929
- https://bugzilla.redhat.com/2457687
- https://bugzilla.redhat.com/2457689
- https://errata.almalinux.org/8/ALSA-2026-20929.html
- https://access.redhat.com/errata/RHSA-2026:22553
- https://errata.almalinux.org/9/ALSA-2026-22553.html
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.