new file mode 100644
@@ -0,0 +1,69 @@
+From 237f63c2abcd6c346bf5d27044ab76f5388bb4e8 Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Sat, 7 Feb 2026 22:50:46 +0000
+Subject: [PATCH] Regression test for
+ https://github.com/Exiv2/exiv2/security/advisories/GHSA-9mxq-4j5g-5wrp
+
+CVE: CVE-2026-25884
+Upstream-Status: Backport [https://github.com/Exiv2/exiv2/commit/191138fef73f331de1311e735d8e6359a36fa786]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ test/data/issue_ghsa_9mxq_4j5g_5wrp.crw | Bin 0 -> 74 bytes
+ .../github/test_issue_ghsa_9mxq_4j5g_5wrp.py | 24 ++++++++++++++++++
+ .../test_regression_allfiles.py | 1 +
+ 3 files changed, 25 insertions(+)
+ create mode 100644 test/data/issue_ghsa_9mxq_4j5g_5wrp.crw
+ create mode 100644 tests/bugfixes/github/test_issue_ghsa_9mxq_4j5g_5wrp.py
+
+diff --git a/test/data/issue_ghsa_9mxq_4j5g_5wrp.crw b/test/data/issue_ghsa_9mxq_4j5g_5wrp.crw
+new file mode 100644
+index 0000000000000000000000000000000000000000..816af2663b3ec93d0d4de4755a02b5d0f5d09640
+GIT binary patch
+literal 74
+zcmebDRA69W@NjhuaCUYH`mcZv7#X+>WPvJpfmnfwK>?&13|Kip6i5oF1;hjZi0B7h
+
+literal 0
+HcmV?d00001
+
+diff --git a/tests/bugfixes/github/test_issue_ghsa_9mxq_4j5g_5wrp.py b/tests/bugfixes/github/test_issue_ghsa_9mxq_4j5g_5wrp.py
+new file mode 100644
+index 000000000..199328f25
+--- /dev/null
++++ b/tests/bugfixes/github/test_issue_ghsa_9mxq_4j5g_5wrp.py
+@@ -0,0 +1,24 @@
++# -*- coding: utf-8 -*-
++
++from system_tests import CaseMeta, CopyTmpFiles, path
++
++
++class CrwMap_decode0x0805_OutOfBoundsRead(metaclass=CaseMeta):
++ """
++ Regression test for the bug described in:
++ https://github.com/Exiv2/exiv2/security/advisories/GHSA-9mxq-4j5g-5wrp
++ """
++
++ url = "https://github.com/Exiv2/exiv2/security/advisories/GHSA-9mxq-4j5g-5wrp"
++
++ filename = path("$data_path/issue_ghsa_9mxq_4j5g_5wrp.crw")
++ commands = ["$exiv2 $filename"]
++ stdout = ["""File name : $filename
++File size : 74 Bytes
++MIME type : image/x-canon-crw
++Image size : 0 x 0
++"""
++]
++ stderr = ["""$filename: No Exif data found in the file
++"""]
++ retval = [253]
+diff --git a/tests/regression_tests/test_regression_allfiles.py b/tests/regression_tests/test_regression_allfiles.py
+index d1bec2ed3..87caa9798 100644
+--- a/tests/regression_tests/test_regression_allfiles.py
++++ b/tests/regression_tests/test_regression_allfiles.py
+@@ -122,6 +122,7 @@ def get_valid_files(data_dir):
+ "issue_ghsa_g9xm_7538_mq8w_poc.mov",
+ "issue_ghsa_38h4_fx85_qcx7_poc.tiff",
+ "issue_ghsa_496f_x7cq_cq39_poc.jpg",
++ "issue_ghsa_9mxq_4j5g_5wrp.crw",
+ "pocIssue283.jpg",
+ "poc_1522.jp2",
+ "xmpsdk.xmp",
new file mode 100644
@@ -0,0 +1,25 @@
+From 5c5ab83247997396b8a7de8e4425a1a04db01c14 Mon Sep 17 00:00:00 2001
+From: Kevin Backhouse <kevinbackhouse@github.com>
+Date: Sat, 31 Jan 2026 15:31:55 +0000
+Subject: [PATCH] Fix out-of-bounds read.
+
+CVE: CVE-2026-25884
+Upstream-Status: Backport [https://github.com/Exiv2/exiv2/commit/5b8f1f4d92b8f27a5a80e0c3d3eb9dce7620d9f1]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/crwimage_int.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/crwimage_int.cpp b/src/crwimage_int.cpp
+index 9e2c1c6a4..1d2378a61 100644
+--- a/src/crwimage_int.cpp
++++ b/src/crwimage_int.cpp
+@@ -646,7 +646,7 @@ const CrwMapping* CrwMap::crwMapping(uint16_t crwDir, uint16_t crwTagId) {
+
+ void CrwMap::decode0x0805(const CiffComponent& ciffComponent, const CrwMapping* /*pCrwMapping*/, Image& image,
+ ByteOrder /*byteOrder*/) {
+- std::string s(reinterpret_cast<const char*>(ciffComponent.pData()));
++ auto s = std::string(reinterpret_cast<const char*>(ciffComponent.pData()), ciffComponent.size());
+ image.setComment(s);
+ } // CrwMap::decode0x0805
+
@@ -4,7 +4,12 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=625f055f41728f84a8d7938acc35bdc2"
DEPENDS = "zlib expat brotli libinih"
-SRC_URI = "git://github.com/Exiv2/exiv2.git;protocol=https;branch=0.28.x;tag=v${PV}"
+SRC_URI = "git://github.com/Exiv2/exiv2.git;protocol=https;branch=0.28.x;tag=v${PV} \
+ file://CVE-2026-25884-1.patch \
+ file://CVE-2026-25884-2.patch \
+ "
SRCREV = "afcb7a8ba84a7de36d2f1ee7689394e078697956"
+PATCHTOOL = "git"
+
inherit cmake gettext
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-25884 Backport the commits referenced by the NVD advisory. One of the patches contain some binary data (for test data), which needs to be applied with git PATCHTOOL.. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> --- .../exiv2/exiv2/CVE-2026-25884-1.patch | 69 +++++++++++++++++++ .../exiv2/exiv2/CVE-2026-25884-2.patch | 25 +++++++ meta-oe/recipes-support/exiv2/exiv2_0.28.7.bb | 7 +- 3 files changed, 100 insertions(+), 1 deletion(-) create mode 100644 meta-oe/recipes-support/exiv2/exiv2/CVE-2026-25884-1.patch create mode 100644 meta-oe/recipes-support/exiv2/exiv2/CVE-2026-25884-2.patch