How a single image takes control of a Mac | Securelist
Subscribe --><br>Dark mode off<br>Login -->
Securelist menu
EnglishRussian<br>Spanish<br>Brazil
Existing Customers
Personal
My Kaspersky<br>Renew your product<br>Update your product<br>Customer support
Business
KSOS portal<br>Kaspersky Business Hub<br>Technical Support<br>Knowledge Base<br>Renew License
Home
Products<br>Trials&Update<br>Resource Center
Business
Kaspersky Next<br>Small Business (1-50 employees)<br>Medium Business (51-999 employees)<br>Enterprise (1000+ employees)
Securelist<br>Threats
Financial threats<br>Mobile threats<br>Web threats<br>Secure environment (IoT)<br>Vulnerabilities and exploits<br>Spam and Phishing<br>Industrial threats
Categories
APT reports<br>Incidents<br>Research<br>Malware reports<br>Spam and phishing reports<br>Publications<br>Kaspersky Security Bulletin
Archive<br>All Tags<br>APT Logbook<br>Webinars<br>Statistics<br>Encyclopedia<br>Threats descriptions<br>KSB 2021
About Us
Company<br>Transparency<br>Corporate News<br>Press Center<br>Careers<br>Sponsorships<br>Policy Blog<br>Contacts
Partners
Find a Partner<br>Partner Program
Content menu<br>Close
Subscribe
Table of Contents
Introduction<br>Technical details<br>Disclaimer<br>Tracing the vulnerable sink<br>Finding an unsanitized date value<br>Planning the payload delivery<br>Bypassing the filter<br>Triggering the exploit<br>Patch analysis<br>How to protect against ExifTool vulnerability<br>Conclusions
Authors
Lucas Tay
Introduction
ExifTool is a widely adopted utility for reading and writing metadata in image, PDF, audio, and video files. It is available both as a standalone command-line application and as a library that can be embedded in other software. In this article, we break down CVE-2026-3102, an ExifTool vulnerability discovered by Kaspersky’s Global Research and Analysis Team (GReAT) in February 2026 and patched by the developers within the same month. Affecting macOS systems with ExifTool version 13.49 and earlier, this flaw could let an attacker run arbitrary commands by hiding instructions inside an image file’s metadata.
This investigation originated from revisiting an n-day vulnerability I first examined years ago: CVE-2021-22204. That flaw exploited weak regex-based sanitization before feeding user input into an eval sink. By auditing adjacent input validation routines across ExifTool codebase for similar oversights, I discovered CVE-2026-3102. Successful exploitation of CVE-2026-3102 enables an attacker to execute arbitrary shell commands with the privileges of the user invoking ExifTool, potentially leading to full system compromise.
Technical details
Disclaimer
Exploiting CVE-2026-3102 requires the -n (also known as -printConv) flag and outputs machine-readable data without additional processing.
Tracing the vulnerable sink
Taint analysis (aka tainted data analysis) allows for the detection of "dirty" data that reaches dangerous locations without validation. In this context, a "sink" is a point or function in a program where data or a parameter marked as "tainted" or originating from an untrusted source (e.g., user input) can affect the program’s behavior. In ExifTool, these functions are eval and system, both of which are capable of executing system commands. While CVE-2021-22204 exploited an eval function as a sink, this vulnerability (CVE-2026-3102) targets the system function. Knowing the vulnerable sink, we needed to trace how user-controlled data reaches it. Below, we break down the details.
Finding an unsanitized date value
The screenshot above shows where the system() sink resides within the SetMacOSTags function. Tracing backward from system(), we identified the $cmd variable as the source of the executed command. This variable is assembled from three inputs: $file (properly sanitized), $setTags (processed iteratively), and $val (user-controlled and, crucially, left unsanitized in the vulnerable branch).
In ExifTool, a tag is a named metadata field. When parsing an image, the utility extracts date and time values from standard EXIF records or macOS filesystem attributes. To handle file creation dates on macOS, ExifTool relies on the Spotlight system attribute MDItemFSCreationDate. Within the program code, this attribute maps to the internal alias $FileCreateDate. These two identifiers govern how the file creation date is stored and applied.
This creates a critical link to the vulnerability: when parsing an image, ExifTool iterates through the discovered tags. The current tag’s name is assigned to the $tag variable, while its text content (e.g., a date string) is assigned to $val. The vulnerable code path is triggered only when $tag matches MDItemFSCreationDate or $FileCreateDate. At this point, the tag’s content flows into $val and is passed to the SetMacOSTags function. As shown in the screenshot below, the filename parameter is properly escaped, but the date value ($val) is not. Because the date is extracted directly from file metadata, an attacker can inject quotes into this field. This breaks the command structure and allows the payload to execute via the...