Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below contain Use After Free, Heap-based Buffer Overflow and Integer Overflow or Wraparound and Out-of-bounds Write vulnerabilities in its CIccSparseMatrix::CIccSparseMatrix function. This issue is fixed in version 2.3.1.2.
Published: 2026-01-06
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

iccDEV libraries contain a Use After Free, Heap-based Buffer Overflow, Integer Overflow or Wraparound, and Out-of-bounds Write in the CIccSparseMatrix::CIccSparseMatrix function. These flaws can allow an attacker to read, modify, or execute arbitrary code, potentially leading to loss of confidentiality, integrity, and availability of data processed by affected applications. The CVSS base score of 7.8 indicates a high severity scenario based on the potential impact of arbitrary code execution or denial of service.

Affected Systems

International Color Consortium iccDEV versions 2.3.1.1 and earlier are susceptible to this vulnerability. The flaw is specifically present in the CIccSparseMatrix implementation used by the library.

Risk and Exploitability

The EPSS score of less than 1% suggests a very low probability of exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, the high CVSS rating indicates a serious risk if successfully exploited. The likely attack vector involves supplying a crafted ICC profile to an application that uses iccDEV; if the application runs with elevated permissions, the flaw could be leveraged for remote code execution. Successful exploitation would require the ability to deliver a malformed profile to the vulnerable component, which is feasible from untrusted or remote sources that can supply ICC data to the affected system.

Generated by OpenCVE AI on April 18, 2026 at 16:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade iccDEV to version 2.3.1.2 or later where the vulnerability is fixed.
  • Restrict or whitelist the ICC profiles that applications can load, ensuring only trusted profiles are processed.
  • If an immediate upgrade cannot be performed, isolate the affected systems from untrusted sources or disable color management operations that rely on iccDEV until a patch is applied.
  • Monitor application logs for unusual ICC profile loading or signs of buffer overflow behavior.

Generated by OpenCVE AI on April 18, 2026 at 16:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 12 Jan 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Tue, 06 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 06 Jan 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Tue, 06 Jan 2026 04:00:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below contain Use After Free, Heap-based Buffer Overflow and Integer Overflow or Wraparound and Out-of-bounds Write vulnerabilities in its CIccSparseMatrix::CIccSparseMatrix function. This issue is fixed in version 2.3.1.2.
Title Use After Free and Heap-based Buffer Overflow and Integer Overflow or Wraparound and Out-of-bounds Write in iccDEV
Weaknesses CWE-122
CWE-190
CWE-416
CWE-787
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-06T14:42:20.572Z

Reserved: 2025-12-29T14:34:16.005Z

Link: CVE-2026-21486

cve-icon Vulnrichment

Updated: 2026-01-06T14:42:11.223Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-06T04:15:53.960

Modified: 2026-01-12T20:59:22.500

Link: CVE-2026-21486

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:00:05Z

Weaknesses