http.c in Exiv2 through 0.27.1 allows a malicious http server to cause a denial of service (crash due to a NULL pointer dereference) by returning a crafted response that lacks a space character.
https://usn.ubuntu.com/4056-1/
https://support.f5.com/csp/article/K45429077?utm_source=f5support&%3Butm_medium=RSS
https://lists.debian.org/debian-lts-announce/2023/01/msg00004.html