PYSEC-2021-877 — Vulnetix

PYSEC-2021-877 PUBLISHED CVSS 7.5 HIGH

An integer overflow in CrwMap::encode0x1810 of Exiv2 0.27.3 allows attackers to trigger a heap-based buffer overflow and cause a denial of service (DOS) via crafted metadata.

Risk Scores

CVSS v3.1

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products

Vendor	Product	Versions
PyPI	exiv2	0, 0.1, 0.11.0

Timeline

Jul 26, 2021 CVE Published
Oct 9, 2025 CVE Updated
May 1, 2026 Distribution Patch
May 1, 2026 Security Advisory

References

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FMDT4PJB7P43WSOM3TRQIY3J33BAFVVE/ url
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UYGDELIFFJWKUU7SO3QATCIXCZJERGAC/ url
https://github.com/Exiv2/exiv2/issues/1530 discussion
https://www.debian.org/security/2021/dsa-4958 advisory
https://lists.debian.org/debian-lts-announce/2021/08/msg00028.html advisory

Open in Interactive Console →