ExifTool RCE: Kaspersky GReAT Uncovers macOS Command Injection via Metadata

In February 2026, Kaspersky's GReAT team identified and reported CVE-2026-3102, a remote command execution (RCE) vulnerability in ExifTool for macOS affecting versions 13.49 and below. The flaw resides in a function adjacent to the one exploited in the notorious CVE-2021-22204: same software, same attack surface—image metadata—but a different sink and delivery vector. The significance of this discovery cannot be overstated: ExifTool is the de facto standard in photography workflows, digital forensics, and CI/CD pipelines that process untrusted media. A single maliciously crafted image, if copied with the wrong flag, can trigger a shell under the user's nose.

The Discovery: Probing Code Adjacent to a Historic Flaw

The research began with a systematic review of CVE-2021-22204, the ExifTool vulnerability that famously exposed millions of systems to RCE via eval() on DjVu metadata in 2021. GReAT researchers extended their analysis to surrounding validation routines, theorizing that similar flaws might persist in parallel branches of the codebase. This hypothesis proved correct: in SetMacOSTags, a function dedicated to handling macOS-specific tags, the vulnerable sink is not eval() but system()—a variation that alters the attack profile without diminishing its severity.

The discovery of vulnerabilities "neighboring" known flaws is a recurring pattern in software security. When a high-profile bug is publicized, patches often target the exact perimeter of the failure, sometimes leaving mirrored routines that share identical input-handling logic intact. CVE-2026-3102 confirms this rule: the sanitization logic applied to CVE-2021-22204 did not propagate to SetMacOSTags, despite both functions operating on analogous data types.

Technical Breakdown: How $val Reaches system() Without Filtering

The SetMacOSTags function translates Exif metadata into macOS extended filesystem attributes. When a user invokes ExifTool with -tagsFromFile to copy metadata from a source file to a destination and specifies the -n flag to obtain machine-readable output without conversion, the code follows a specific execution path. If the destination tag matches MDItemFSCreationDate or $FileCreateDate, the function constructs a shell command to invoke SetFile or an equivalent utility.

During the construction of this command, the filename ($file) undergoes proper escaping. However, the date value ($val), extracted directly from the source file's metadata field, does not receive the same treatment. This asymmetry is the core of the vulnerability: an attacker can craft an image with a date field containing quotes and shell sequences. When ExifTool processes the copy via -tagsFromFile -n, the system() command executes the payload. This is not a buffer overflow or a use-after-free; it is a classic command injection facilitated by a flawed distinction between "sensitive input" and "trusted input" that metadata does not deserve.

Exploitation Constraints: Identifying High-Risk Vectors

A critical technical detail limits the attack surface: the vulnerable path is only triggered during metadata copying via -tagsFromFile, not during the direct writing of FileCreateDate. If a user manually sets the date using -FileCreateDate="...", ExifTool does not traverse SetMacOSTags in the same manner. Furthermore, the -n (-printConv) flag is a mandatory prerequisite; without it, the data undergoes conversion and formatting that would likely interfere with the payload structure.

These constraints do not mitigate the risk so much as channel it. Automated pipelines—such as photo ingestion scripts, batch forensic tools, and web services that generate thumbnails while preserving metadata—are typical configurations where -tagsFromFile and -n appear together. A service receiving images from external sources and normalizing metadata before archiving could execute malicious code without human interaction, running with the privileges of the service account.

"The vulnerable code path is triggered only when $tag matches MDItemFSCreationDate or $FileCreateDate... the filename parameter is properly escaped, but the date value ($val) is not." — Kaspersky GReAT, Securelist

Mitigation and Security Recommendations

1. Update ExifTool beyond version 13.49. Users should consult the official changelog to confirm the patch version; while sources indicate a fix was released in February 2026, the specific secure build number should be verified.
2. Audit scripts and pipelines that utilize -tagsFromFile in conjunction with -n or -printConv. Identify instances where source files originate from untrusted sources and isolate processing within sandboxed environments.
3. Validate incoming metadata before passing it to ExifTool. Tools such as exiv2 in read-only mode, or dedicated parsers, may detect anomalies in date fields before they reach the vulnerable sink.
4. Monitor system logs for anomalous invocations of SetFile or related utilities stemming from ExifTool processes. If execution occurs with elevated privileges, the potential for full system compromise is high.

The Legacy of CVE-2021-22204: Recurring Patterns and Fragmented Responses

The genealogical relationship between this flaw and CVE-2021-22204 is more than a historical curiosity; it is an indicator of a structural issue. Four and a half years separate the two flaws, both within ExifTool, both in functions processing image metadata, and both caused by unsanitized input in execution sinks. The technical differences—eval() versus system(), direct writing versus copying with -tagsFromFile—do not mask the similarity in the underlying threat model.

For end-users, the lesson is that command-line tools inherited from the 90s, however indispensable, often carry assumptions about data trust that the modern web has rendered obsolete. For developers, this case highlights the need for back-compatibility audits: when patching a high-visibility vulnerability, the review must extend to all functions sharing the same input logic, not just the documented exploit path.

Unresolved Details and Risk Assessment

The Kaspersky report stops short of demonstrating a full exploit chain, leaving the question of practical reproducibility without code access open. It has not been stated whether the vulnerability has been observed in the wild, nor is a CVSS score currently available to quantify its severity. Furthermore, confirmation of the exact patched version number is missing; "February 2026" denotes the release month but not the specific build version considered safe. These limitations, explicitly noted in the source material, prevent a definitive risk perimeter from being drawn and suggest caution during the update process.

FAQ

Am I at risk if I only use ExifTool to view image metadata?

No. According to the source, the vulnerable path requires the use of -tagsFromFile to copy data to FileCreateDate along with the -n flag. Standard reading or viewing operations do not trigger the compromised SetMacOSTags path.

Why is the filename escaped while the date value is not?

The source does not provide an explicit reason. It is hypothesized that filenames have undergone security reviews due to known path traversal risks, while date tag values may not have received the same scrutiny. This asymmetry is the core of the bug.

Does the February 2026 patch also cover CVE-2021-22204?

CVE-2021-22204 was patched separately in 2021. Users should not assume that the fix for CVE-2026-3102 retroactively addresses previous flaws; each vulnerability requires its own verification of status.

Sources

• https://securelist.com/exiftool-compromise-mac/119866/

Information has been verified against the cited sources and was accurate at the time of publication.

Sources

• https://securelist.com/exiftool-compromise-mac/119866/