The vulnerability occurs when Exiv2 parses CRW image files, where the internal CrwMap::decode0x0805 function performs an out‑of‑bounds read. This allows an adversary to read unintended data from memory, potentially leaking sensitive information such as metadata or other data residing in the process address space. The weakness is classified as CWE‑125, a classic out‑of‑bounds read that can expose confidential data but does not allow arbitrary code execution or privilege escalation based on the current evidence.

Vulnerable versions are any releases of the Exiv2 library prior to 0.28.8. Applications, utilities, or services that rely on this library to handle CRW images—such as image editors, metadata processors, or automated media ingestion pipelines—could be impacted. The exact scope depends on the systems that use older Exiv2 binaries or source code.

The CVSS score of 2.7 indicates low overall impact, and the EPSS score of less than 1 percent suggests a very low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Attackers would likely need to supply a crafted CRW file to the vulnerable application, inferring that the primary attack vector is local file input or potentially remote if the application accepts user‑supplied image data over a network. No known exploit code is publicly available, and the condition requires the parser to be invoked with the specific malformed data referenced in the patch commit.