Back

Critical ExifTool Vulnerability (CVE-2026-3102) Threatens macOS Systems

Severity: High (Score: 72.6)

Sources: Cybersecuritynews, nvd.nist.gov, Securelist, Gbhackers

Published: 2026-05-20 · Updated: 2026-05-20

Keywords: exiftool, image, cve-2026-3102, vulnerability, macos, file, compromise

Severity indicators: vulnerability, CVE:CVE-2026-3102, CVE:CVE-2026-3102, CVE:CVE-2026-3102

Summary

A severe vulnerability in ExifTool (CVE-2026-3102) allows attackers to execute arbitrary shell commands on macOS systems by embedding malicious instructions in image file metadata. Discovered by Kaspersky's GReAT in February 2026, this flaw affects ExifTool versions 13.49 and earlier. Exploitation requires the use of the -n flag, enabling command injection via the SetMacOSTags function. The vulnerability has been publicly disclosed and poses a significant risk as it can be exploited remotely. Users are advised to upgrade to ExifTool version 13.50 to mitigate this risk. The flaw is linked to a previous vulnerability (CVE-2021-22204), showcasing ongoing issues with input validation in ExifTool. The potential for full system compromise makes this a critical security concern for macOS users. Key Points: • CVE-2026-3102 allows remote command execution on macOS via ExifTool. • The vulnerability affects ExifTool versions 13.49 and earlier, patched in 13.50. • Attackers can exploit this flaw by embedding malicious commands in image metadata.

Detailed Analysis

**Impact** macOS systems running ExifTool version 13.49 and earlier are affected by this vulnerability, enabling attackers to execute arbitrary shell commands with user-level privileges. The flaw primarily threatens users and organizations that process image, PDF, audio, or video files using ExifTool, including sectors relying on metadata extraction or manipulation. Exploitation can lead to full system compromise, potentially impacting business operations and exposing sensitive data. No specific geographic or sectoral distribution data is provided. **Technical Details** The vulnerability (CVE-2026-3102) resides in the SetMacOSTags function of ExifTool’s MacOS.pm component, specifically in the handling of the MDItemFSCreationDate and $FileCreateDate metadata tags. Attackers embed malicious shell commands within image metadata, which are executed via an unsanitized system() call when ExifTool processes files with the -n flag. This is a remote OS command injection exploiting the system() sink, similar in nature to CVE-2021-22204 but targeting a different execution function. The exploit has been publicly disclosed, and the attack vector involves delivering a crafted image file with malicious metadata. **Recommended Response** Upgrade ExifTool to version 13.50 or later, which contains the patch addressing this vulnerability. Deploy detection rules to monitor for anomalous use of ExifTool with the -n flag and unexpected system command executions. Harden configurations by restricting ExifTool usage to trusted files and users. Monitor for suspicious image files containing manipulated MDItemFSCreationDate or $FileCreateDate tags. No additional IOCs or infrastructure details are provided in the sources.

Source articles (5)

  • CVE-2026-3102 — nvd.nist.gov · 2026-05-20
    A vulnerability was determined in exiftool up to 13.49 on macOS. This issue affects the function SetMacOSTags of the file lib/Image/ExifTool/MacOS.pm of the component PNG File Parser. This manipulatio…
  • CVE-2021-22204 — nvd.nist.gov · 2026-05-20
    Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image Reference CISA's BOD 22-01 and Known Expl…
  • Critical ExifTool Vulnerability Lets Hackers Compromise Macs via Malicious Images — Gbhackers · 2026-05-20
    A newly disclosed vulnerability in ExifTool, tracked as CVE-2026-3102, exposes macOS systems to command execution attacks through malicious image metadata, highlighting ongoing risks in widely used fi…
  • Critical ExifTool Vulnerability Allows Attackers to Compromise Macs via Single Malicious Image — Cybersecuritynews · 2026-05-20
    ExifTool, a ubiquitous open-source utility for reading and writing file metadata, is at the center of a severe security flaw affecting macOS environments. Discovered by Kaspersky’s Global Research and…
  • How an image could compromise your Mac: understanding an ExifTool vulnerability (CVE-2026-3102) — Securelist · 2026-05-20
    ExifTool is a widely adopted utility for reading and writing metadata in image, PDF, audio, and video files. It is available both as a standalone command-line application and as a library that can be…

Timeline

  • 2021-04-23 — CVE-2021-22204 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-02-24 — CVE-2026-3102 published: A vulnerability in ExifTool was disclosed, allowing command injection through image metadata.
  • 2026-05-20 — Public disclosure of exploitation details: Kaspersky's GReAT detailed the vulnerability's impact and exploitation methods in their report.
  • 2026-05-20 — Patch released for ExifTool: ExifTool developers released version 13.50 to address CVE-2026-3102, urging users to upgrade.

CVEs

  • CVE-2021-22204
  • CVE-2026-3102

Related entities

  • Malware (Attack Type)
  • Zero-day Exploit (Attack Type)
  • CWE-78 - OS Command Injection (Cwe)
  • filecreatedate.at (Domain)
  • macos.pm (Domain)
  • null.to (Domain)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1059 - Command and Scripting Interpreter (Mitre Attack)
  • T1203 - Exploitation for Client Execution (Mitre Attack)
  • DjVu File Format (Platform)
  • MacOS (Platform)
  • ExifTool (Tool)
  • Setfile (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed