How a single image takes control of a Mac

CVE-2026-3102 is a command injection vulnerability in ExifTool (versions 13.49 and earlier) affecting macOS systems, discovered by Kaspersky GReAT in February 2026. The flaw stems from unsanitized handling of the FileCreateDate metadata field inside the SetMacOSTags function, where the $val variable is passed directly to a system() call without escaping. An attacker can craft a malicious image with a specially crafted date value in EXIF metadata, use the -n flag to bypass date validation, and then trigger the vulnerable code path via the -tagsFromFile feature to copy the payload into FileCreateDate. This results in arbitrary shell command execution with the privileges of the user running ExifTool. The fix in version 13.50 replaces string-concatenated system calls with a list-form argument API, eliminating shell interpretation risks. Mitigation includes upgrading to ExifTool 13.50+, isolating untrusted file processing, and monitoring open-source supply chain components.