The libexif library through version 0.6.25 contains an integer underflow vulnerability (CWE-191) in the exif_mnote_data_get_value function. When this function receives a zero size parameter, an integer underflow occurs, resulting in an overwrite of the input buffer during the decoding of MakerNotes metadata. This can lead to high impact consequences including confidentiality, integrity, and availability violations as indicated by the CVSS 3.1 base score of 7.4 with high impact on all three metrics. No patch or vendor remediation guidance is currently available.

Successful exploitation of this vulnerability can cause buffer overwrite due to integer underflow, potentially leading to arbitrary code execution or denial of service. The CVSS score of 7.4 reflects high impact on confidentiality, integrity, and availability. However, no known exploits are currently reported in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should exercise caution when processing untrusted EXIF data with libexif, particularly MakerNotes. Avoid processing untrusted images or apply additional input validation if possible.