CVE-2026-40386
- Source
- https://cve.org/CVERecord?id=CVE-2026-40386
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-40386.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-40386
- Downstream
- Related
- Published
- 2026-04-12T18:19:08.684Z
- Modified
- 2026-06-03T14:44:13.562543937Z
- Severity
-
- 4.0 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L CVSS Calculator
- Summary
- [none]
- Details
-
In libexif through 0.6.25, an integer underflow in size checking for Fuji and Olympus MakerNote decoding could be used by attackers to crash or leak information out of libexif-using programs.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40386.json", "cwe_ids": [ "CWE-191" ], "cna_assigner": "mitre" }- References
Affected packages
Git / github.com/libexif/libexif
Affected ranges
- Type
- GIT
- Repo
- https://github.com/libexif/libexif
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
Other
cvs-migration
libexif-0_5_7-rc2
libexif-0_5_7-rc3
libexif-0_5_7-rc4
libexif-0_5_7-release
libexif-0_5_9-release
libexif-0_6_12-release
libexif-0_6_14-release
libexif-0_6_15-release
libexif-0_6_16-release
libexif-0_6_17-release
libexif-0_6_18-release
libexif-0_6_19-release
libexif-0_6_20-release
libexif-0_6_21-release
libexif-0_6_22-release
libexif-0_6_23-release
libexif-0_6_24-release
libexif-0_6_25-release
libexif-before-0_6_0-api-change
v0.*
v0.6.23
v0.6.24
v0.6.25
Database specific
vanir_signatures_modified
"2026-05-28T09:21:15Z"
vanir_signatures
[
{
"digest": {
"function_hash": "89651194716944256166666105002455224126",
"length": 292.0
},
"signature_type": "Function",
"id": "CVE-2026-40386-5d76fe76",
"target": {
"file": "libexif/olympus/exif-mnote-data-olympus.c",
"function": "exif_mnote_data_olympus_get_value"
},
"deprecated": false,
"source": "https://github.com/libexif/libexif/commit/dc6eac6e9655d14d0779d99e82d0f5f442d2f34b",
"signature_version": "v1"
},
{
"digest": {
"function_hash": "89651194716944256166666105002455224126",
"length": 292.0
},
"deprecated": false,
"id": "CVE-2026-40386-8c7e5880",
"target": {
"file": "libexif/fuji/exif-mnote-data-fuji.c",
"function": "exif_mnote_data_fuji_get_value"
},
"signature_type": "Function",
"source": "https://github.com/libexif/libexif/commit/dc6eac6e9655d14d0779d99e82d0f5f442d2f34b",
"signature_version": "v1"
},
{
"digest": {
"line_hashes": [
"134657048840523953532291051655678286599",
"330620488256842591126409580115434617653",
"318388110906489116545935652924689243310",
"201666159675207808264155098465449719230"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "CVE-2026-40386-970107f3",
"target": {
"file": "libexif/olympus/exif-mnote-data-olympus.c"
},
"deprecated": false,
"source": "https://github.com/libexif/libexif/commit/dc6eac6e9655d14d0779d99e82d0f5f442d2f34b",
"signature_version": "v1"
},
{
"digest": {
"line_hashes": [
"79348447117930777702955799481112448007",
"228581815217580039735945598299510135846",
"156379962593853258986688813785805367582",
"86655364894345662921658811840849055363"
],
"threshold": 0.9
},
"signature_type": "Line",
"id": "CVE-2026-40386-f3dbecf1",
"target": {
"file": "libexif/fuji/exif-mnote-data-fuji.c"
},
"deprecated": false,
"source": "https://github.com/libexif/libexif/commit/dc6eac6e9655d14d0779d99e82d0f5f442d2f34b",
"signature_version": "v1"
}
]
source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-40386.json"