Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below have Out-of-bounds Read and Integer Underflow (Wrap or Wraparound) vulnerabilities in its CIccCalculatorFunc::SequenceNeedTempReset function. This issue is fixed in version 2.3.1.2.
Published: 2026-01-06
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure via Out‑of‑Bounds Read
Action: Immediate Patch
AI Analysis

Impact

The vulnerability exists in iccDEV’s CIccCalculatorFunc::SequenceNeedTempReset function, allowing an out‑of‑bounds read and an integer underflow. This flaw can expose arbitrary data in memory to the attacker, potentially leaking sensitive information. The weakness is identified as CWE‑125 and CWE‑191 and carries a CVSS score of 6.1, indicating medium severity.

Affected Systems

InternationalColorConsortium’s iccDEV library and tools are affected, specifically versions 2.3.1.1 and earlier. The vulnerability is patched in version 2.3.1.2 and later releases.

Risk and Exploitability

The attack is likely executed locally through the SequenceNeedTempReset function, yet the exact attack vector is not documented, so this inference is made based on the function’s exposure to user‑supplied data. Exploitation would require the attacker to have the ability to trigger the function, and while the EPSS score is below 1%, the flaw is not listed in CISA’s KEV catalog. The medium CVSS score combined with low exploitation probability suggests a moderate risk, but organizations should not ignore it because of the potential to reveal confidential application memory.

Generated by OpenCVE AI on April 18, 2026 at 16:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade iccDEV to version 2.3.1.2 or later to eliminate the integer underflow and out‑of‑bounds read.
  • If upgrading immediately is not possible, run the profile‑loading component in a strictly read‑only context or sandbox to limit the exposure of sensitive data.
  • Continuously review the InternationalColorConsortium advisories and keep the library updated to apply any future security patches.

Generated by OpenCVE AI on April 18, 2026 at 16:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 14 Jan 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Wed, 07 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Tue, 06 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 06 Jan 2026 14:00:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below have Out-of-bounds Read and Integer Underflow (Wrap or Wraparound) vulnerabilities in its CIccCalculatorFunc::SequenceNeedTempReset function. This issue is fixed in version 2.3.1.2.
Title iccDEV has Out-of-bounds Read and Integer Underflow (Wrap or Wraparound)
Weaknesses CWE-125
CWE-191
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-06T14:10:18.405Z

Reserved: 2025-12-29T14:34:16.006Z

Link: CVE-2026-21489

cve-icon Vulnrichment

Updated: 2026-01-06T14:10:11.619Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-06T14:15:48.590

Modified: 2026-01-14T18:46:33.683

Link: CVE-2026-21489

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:00:05Z

Weaknesses