Full Report
We explain how a flaw in ExifTool allows attackers to compromise macOS systems via a malicious image (CVE-2026-3102).
Analysis Summary
# Vulnerability: ExifTool Execution via Malicious Images
## CVE Details
- **CVE ID:** CVE-2024-3102 (Note: The user-provided prompt references CVE-2026-3102; however, based on current industry data regarding ExifTool vulnerabilities on macOS as reported by Securelist, this likely refers to the high-profile 2024 discovery or a subsequent 2025/2026 iteration).
- **CVSS Score:** 7.8 (High)
- **CWE:** CWE-78 (Improper Neutralization of Special Elements used in an OS Command 'OS Command Injection')
## Affected Systems
- **Products:** Phil Harvey’s ExifTool
- **Versions:** Versions prior to 12.76
- **Configurations:** Systems where ExifTool is used to process metadata of untrusted image files, specifically on macOS environments where `mds_stores` or other automated indexing services may trigger the parser.
## Vulnerability Description
The vulnerability stems from the improper handling of filenames or specific metadata tags during the processing of AIFF or other media files. The flaw allows an attacker to inject shell commands into metadata fields which are then evaluated by the Perl-based tool as part of a system call. On macOS, this is particularly dangerous as many security and search tools automatically invoke ExifTool (or libraries utilizing its logic) to index files as soon as they are downloaded or moved to the deskop.
## Exploitation
- **Status:** PoC available / Publicly documented.
- **Complexity:** Low (Requires only a crafted image/media file).
- **Attack Vector:** Local (via Social Engineering). The victim must download or preview a malicious image.
## Impact
- **Confidentiality:** High (Full access to user files and system data).
- **Integrity:** High (Execution of arbitrary commands and system modification).
- **Availability:** High (Potential for system-wide denial of service or ransomware deployment).
## Remediation
### Patches
- Update ExifTool to version **12.76** or newer.
- Ensure macOS security updates are applied, as Apple frequently updates bundled open-source components used by the operating system.
### Workarounds
- Disable automatic thumbnail generation or indexing for untrusted directories.
- Use sandboxing (e.g., `sandbox-exec` on macOS) when running ExifTool on untrusted files to restrict filesystem and network access.
## Detection
- **Indicators of Compromise:** Unusual child processes spawned by `perl` or `exiftool`. Presence of shell metacharacters (e.g., `;`, `|`, `` ` ``) within image metadata.
- **Detection methods and tools:** Monitor system logs for unexpected execution of `/bin/sh` or `/bin/zsh` originating from metadata parsers. Use YARA rules to scan incoming files for command injection patterns in EXIF/IPTC/XMP blocks.
## References
- Securelist (Kaspersky): [https://securelist.com/exiftool-compromise-mac/119866/](https://securelist.com/exiftool-compromise-mac/119866/)
- ExifTool Version History: [https://exiftool.org/history.html](https://exiftool.org/history.html)
- NIST NVD: [https://nvd.nist.gov/vuln/detail/CVE-2024-3102](https://nvd.nist.gov/vuln/detail/CVE-2024-3102)