2442359 – (CVE-2026-3102) CVE-2026-3102 exiftool: PNG file MacOS.pm SetMacOSTags OS command injection

Bug 2442359 (CVE-2026-3102) - CVE-2026-3102 exiftool: PNG file MacOS.pm SetMacOSTags OS command injection

Summary: CVE-2026-3102 exiftool: PNG file MacOS.pm SetMacOSTags OS command injection

Keywords:
Status:	NEW
Alias:	CVE-2026-3102
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-02-24 15:02 UTC by OSIDB Bzimport
Modified:	2026-02-24 18:42 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-02-24 15:02:12 UTC

A vulnerability was determined in exiftool up to 13.49 on macOS. This issue affects the function SetMacOSTags of the file lib/Image/ExifTool/MacOS.pm of the component PNG File Parser. This manipulation of the argument DateTimeOriginal causes os command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 13.50 is capable of addressing this issue. Patch name: e9609a9bcc0d32bd252a709a562fb822d6dd86f7. Upgrading the affected component is recommended.

Note You need to log in before you can comment on or make changes to this bug.