The Hidden Danger in Your Image Files: ExifTool Vulnerability CVE-2026-3102 Explained

Introduction

ExifTool is a widely used command-line utility and library for reading, writing, and editing metadata in a variety of file formats, including images, PDFs, audio, and video. In February 2026, Kaspersky's Global Research and Analysis Team (GReAT) uncovered a critical security flaw in ExifTool, tracked as CVE-2026-3102, that affects macOS systems running ExifTool version 13.49 or earlier. This vulnerability enables an attacker to execute arbitrary shell commands simply by embedding malicious instructions within an image file's metadata. The developers patched the issue within the same month, but the discovery highlights how seemingly innocuous metadata can be weaponized.

The Research Behind the Discovery

The investigation into CVE-2026-3102 began when a security researcher revisited an older vulnerability, CVE-2021-22204, which exploited weak regex-based sanitization in ExifTool's input handling. By auditing adjacent input validation routines across the codebase for similar oversights, the researcher uncovered a new sink in the system() function. Unlike the earlier flaw that targeted the eval function, this vulnerability leverages the system() call to execute commands directly on the host machine. Successful exploitation gives an attacker full control over the system, with the privileges of the user running ExifTool.

Technical Details

The Vulnerable Sink

In software security, a sink is a function that accepts tainted (user-controlled) data and can alter program execution. In ExifTool, both eval and system are dangerous sinks because they can execute system commands. For CVE-2026-3102, the sink is the system() function inside the SetMacOSTags routine. Using taint analysis, researchers traced how user-provided data flows into this function without proper validation.

Tracing the Command Construction

Within SetMacOSTags, the command executed by system() is built from three parts: $file (sanitized), $setTags (processed iteratively), and $val – the critical, unsanitized input. The $val variable originates from metadata values, specifically date/time fields. ExifTool relies on macOS's Spotlight system attribute MDItemFSCreationDate to handle file creation dates. This attribute is internally mapped to the alias $FileCreateDate, which becomes the vector for injection.

The Unsanitized Date Value

The vulnerability arises because, in certain code branches, the $val value is inserted directly into the shell command string without escaping or sanitization. An attacker can craft an image containing a malicious MDItemFSCreationDate that includes shell metacharacters or commands. When ExifTool processes the image with the -n (or -printConv) flag, which outputs machine-readable data, it triggers the vulnerable code path and executes the attacker's commands.

Exploitation Requirements

Successfully exploiting CVE-2026-3102 requires the use of the -n flag to disable pretty‑printing. Without this flag, the vulnerable branch is not reached. Additionally, the attacker must have the ability to supply a crafted image file to the victim – for example, via email, a download, or a shared folder. The attack does not require any special privileges beyond those of the user running ExifTool.

Mitigation Steps

Users and administrators should immediately upgrade ExifTool to version 13.50 or later, which includes the patch released by the developers in February 2026. For those who cannot update immediately, avoid processing untrusted image files with the -n flag. Always disable automatic metadata handling in applications that embed ExifTool, and consider using alternative metadata tools if feasible.

Conclusion

CVE-2026-3102 serves as a sobering reminder that even mature, trusted utilities can harbor subtle injection flaws. The link between macOS's Spotlight attributes and ExifTool's file creation date handling created an unexpected attack surface. By understanding the root cause – an unsanitized variable reaching a system() call – developers can better audit similar code patterns. Stay updated, stay secure.