CVE-2026-3102 Overview
A command injection vulnerability has been identified in ExifTool versions up to 13.49 when running on macOS. The vulnerability exists in the SetMacOSTags function within the lib/Image/ExifTool/MacOS.pm component, specifically in the PNG File Parser. By manipulating the DateTimeOriginal argument, an attacker can inject arbitrary operating system commands. This vulnerability is exploitable remotely and requires user interaction to process a malicious image file.
Critical Impact
Remote attackers can execute arbitrary OS commands on macOS systems by crafting malicious PNG files with specially crafted DateTimeOriginal metadata, potentially leading to system compromise.
Affected Products
- ExifTool versions up to 13.49
- Apple macOS (all versions when running vulnerable ExifTool)
Discovery Timeline
- February 24, 2026 - CVE-2026-3102 published to NVD
- February 26, 2026 - Last updated in NVD database
Technical Details for CVE-2026-3102
Vulnerability Analysis
This vulnerability is classified as OS Command Injection (CWE-77, CWE-78). The flaw resides in the macOS-specific tag handling code within ExifTool's PNG file parser. When processing image files, the SetMacOSTags function in lib/Image/ExifTool/MacOS.pm fails to properly sanitize the DateTimeOriginal argument before passing it to system-level operations.
On macOS systems, ExifTool integrates with native filesystem features to handle extended attributes and tags. The vulnerable function constructs system commands using user-controllable metadata from image files. Without proper input validation, an attacker can embed shell metacharacters or command sequences within the DateTimeOriginal EXIF field that will be executed when ExifTool processes the malicious file.
The exploit has been publicly disclosed, increasing the risk profile for organizations using vulnerable versions of ExifTool in automated image processing pipelines or user-facing applications.
Root Cause
The root cause is improper neutralization of special elements used in an OS command. The SetMacOSTags function accepts the DateTimeOriginal argument without adequately sanitizing shell metacharacters before incorporating it into system calls. This allows attackers to break out of the intended command context and execute arbitrary commands with the privileges of the ExifTool process.
Attack Vector
The attack is network-based and can be executed remotely. An attacker crafts a malicious PNG file containing specially formatted metadata in the DateTimeOriginal field. When a victim processes this file with ExifTool on macOS (either manually or through an automated workflow), the injected commands are executed on the target system. Common attack scenarios include:
- Uploading malicious images to web applications that use ExifTool for metadata extraction
- Sending crafted images via email or messaging platforms
- Hosting malicious images on websites where users might download and process them
The following code shows the security patch applied in version 13.50:
RSS feed: https://exiftool.org/rss.xml
-Note: The most recent production release is Version 13.44. (Other versions are
+Note: The most recent production release is Version 13.50. (Other versions are
considered development releases, and are not uploaded to MetaCPAN.)
+Feb. 7, 2026 - Version 13.50 (production release)
+
+ - Added a few new Sony lenses (thanks Jos Roost)
+ - Added a couple of new Canon lenses (thanks Norbert Wasser)
+ - Decode another Samsung trailer tag
+ - Decode BlackLevels from some Canon CRW files (github #387)
+ - Updated Sony maker note decoding for the ILCE-7M5 (thanks Jos Roost)
+ - Patched potential MacOS security issue (thanks Tay Kiat Loong)
+ - Fixed -list options so reading image files beforehand doesn't add tags to
+ the output when running multiple commands using the -execute feature
+
Feb. 3, 2026 - Version 13.49
- Decode a couple of new Samsung trailer tags
+ - Disabled decoding of MenuSettings for the Nikon Z6III firmware 2.0 until the
+ changes can be worked through in detail
- Fixed problem where Google Photos had problems displaying ExifTool-edited
HEIC MotionPhoto images. Files written by older versions of ExifTool may be
repaired by re-writing with 13.49 or later
- - Disable decoding of MenuSettings for the Nikon Z6III firmware 2.0 until the
- changes can be worked through in detail
Jan. 31, 2026 - Version 13.48
Source: GitHub Commit e9609a9
Detection Methods for CVE-2026-3102
Indicators of Compromise
- Unusual child processes spawned from ExifTool or Perl interpreter on macOS systems
- PNG files with abnormally long or suspicious DateTimeOriginal metadata containing shell metacharacters (;, |, $(), backticks)
- Unexpected network connections or file system modifications following image processing operations
Detection Strategies
- Implement file integrity monitoring on systems running ExifTool to detect unauthorized modifications
- Deploy endpoint detection rules to monitor for suspicious command execution patterns originating from Perl processes
- Analyze image metadata before processing using sandboxed validation tools to detect potential injection attempts
- Review ExifTool version information across the environment to identify vulnerable installations
Monitoring Recommendations
- Configure logging for all ExifTool invocations on macOS systems, capturing both input files and command-line arguments
- Set up alerts for abnormal process trees where ExifTool spawns shell commands or network utilities
- Monitor for PNG files containing non-standard characters in EXIF date fields at ingress points
How to Mitigate CVE-2026-3102
Immediate Actions Required
- Upgrade ExifTool to version 13.50 or later immediately on all macOS systems
- Audit systems for vulnerable ExifTool installations using version detection scripts
- Temporarily disable automated image processing workflows that use ExifTool until patching is complete
- Review logs for any signs of exploitation on systems running vulnerable versions
Patch Information
The vulnerability has been addressed in ExifTool version 13.50 released on February 7, 2026. The fix is identified by commit hash e9609a9bcc0d32bd252a709a562fb822d6dd86f7. The patch specifically addresses the input sanitization issue in the SetMacOSTags function. Organizations should upgrade by downloading the latest release from the GitHub Release v13.50 page or through their package manager.
Workarounds
- Run ExifTool in a sandboxed environment or container to limit the impact of potential command injection
- Implement strict input validation on image files before passing them to ExifTool, filtering or rejecting files with suspicious metadata
- Disable macOS-specific tag handling if not required by using ExifTool configuration options
- Process untrusted images on non-macOS systems where this specific vulnerability does not apply
# Verify ExifTool version
exiftool -ver
# Update ExifTool via Homebrew (if installed via Homebrew)
brew update && brew upgrade exiftool
# Alternative: Manual installation from source
wget https://github.com/exiftool/exiftool/archive/refs/tags/13.50.tar.gz
tar -xzf 13.50.tar.gz
cd exiftool-13.50
perl Makefile.PL
make install
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
