Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below are prone to have Undefined Behavior (UB) and Out of Memory errors. This issue is fixed in version 2.3.1.2.
Published: 2026-01-06
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service / Memory Exhaustion
Action: Patch Immediately
AI Analysis

Impact

iccDEV libraries contain an undefined behavior and an out-of-memory bug in the CIccProfile::LoadTag() routine. The flaw can cause the application to crash or consume excessive memory when processing a malformed ICC profile, leading to service interruptions. The scenario where a crafted or malformed ICC profile triggers the flaw is inferred from the description that the vulnerability occurs during profile loading. The vulnerability is classified with several CWEs, including resource exhaustion, out-of-bounds read, type confusion, integer overflow, and null pointer dereference, which together contribute to the high CVSS score of 8.8.

Affected Systems

All systems installing the International Color Consortium iccDEV packages at version 2.3.1.1 or earlier are vulnerable. This includes any environment that uses iccDEV to load or manipulate ICC color profiles.

Risk and Exploitability

Based on the description, it is inferred that an attacker would need to supply a crafted ICC profile that triggers the LoadTag() routine to exploit the vulnerability. The EPSS score is below 1%, indicating a low current likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Exploitation would primarily cause a denial of service rather than remote code execution. While the statistical risk is modest, the potential service disruption warrants prompt action.

Generated by OpenCVE AI on April 18, 2026 at 20:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade iccDEV to version 2.3.1.2 or later, which contains the fix for the undefined behavior and out-of-memory conditions.
  • Add input validation to ICC profile parsing code to ensure all tag data is within expected bounds before processing.
  • Configure application resource limits or sandboxing for ICC profile loading to contain any potential memory exhaustion or crashes.

Generated by OpenCVE AI on April 18, 2026 at 20:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 14 Jan 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Tue, 06 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 06 Jan 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Tue, 06 Jan 2026 03:30:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below are prone to have Undefined Behavior (UB) and Out of Memory errors. This issue is fixed in version 2.3.1.2.
Title iccDEV Undefined Behavior (UB) and Out of Memory in CIccProfile::LoadTag()
Weaknesses CWE-125
CWE-1284
CWE-190
CWE-20
CWE-400
CWE-476
CWE-787
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-06T18:56:40.921Z

Reserved: 2025-12-29T14:34:16.005Z

Link: CVE-2026-21485

cve-icon Vulnrichment

Updated: 2026-01-06T14:19:31.040Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-06T04:15:53.790

Modified: 2026-01-14T18:45:37.330

Link: CVE-2026-21485

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T20:15:09Z

Weaknesses