CVE-2026-40385

Description

In libexif through 0.6.25, an unsigned 32bit integer overflow in Nikon MakerNote handling could be used by local attackers to cause crashes or information leaks. This only affects 32bit systems.

How to fix CVE-2026-40385

To remediate CVE-2026-40385, upgrade the affected package to a fixed version below.

Debian/libexif—upgrade to 0.6.22-3+deb11u1 or later

Is CVE-2026-40385 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 0.6.22-3+deb11u1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.1	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-40385