Description
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. A vulnerability present in versions prior to 2.3.1.2 affects users of the iccDEV library who process ICC color profiles. It results in unicode buffer overflow in `CIccTagTextDescription`. Version 2.3.1.2 contains a patch. No known workarounds are available.
Published: 2026-01-06
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory Corruption – potential for code execution
Action: Patch Immediately
AI Analysis

Impact

A unicode buffer overflow in the CIccTagTextDescription component of iccDEV can corrupt memory when processing ICC color profiles. The vulnerability is identified as CWE‑122 (Unchecked Input Buffer Size), CWE‑125 (Use After End of Buffer), and CWE‑193 (Signed to Unsigned Conversion). An attacker might supply a crafted ICC profile that triggers the overflow, leading to undefined behavior and possibly arbitrary code execution or a crash. No mitigations other than patching are known.

Affected Systems

The defect affects the iccDEV library provided by the International Color Consortium for all versions prior to 2.3.1.2. Users of this library who process ICC profiles are potentially exposed and should review the version of iccDEV installed on their systems.

Risk and Exploitability

The CVSS score of 6.1 indicates medium severity, while the EPSS score of less than 1% suggests a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Intended exploitation would likely involve an application that loads untrusted ICC profiles; as such the attack surface is local to the application and typically requires the attacker to supply a malicious profile, but remote exploitation is theoretically possible if the profile data originates from a network source.

Generated by OpenCVE AI on April 18, 2026 at 08:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade iccDEV to version 2.3.1.2 or later so the buffer overflow is fixed
  • Replace any dependent software that uses the older iccDEV library with a version that incorporates the patch
  • Restrict the loading of ICC color profiles to trusted sources and validate profile integrity before processing

Generated by OpenCVE AI on April 18, 2026 at 08:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 12 Jan 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Wed, 07 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Tue, 06 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 06 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. A vulnerability present in versions prior to 2.3.1.2 affects users of the iccDEV library who process ICC color profiles. It results in unicode buffer overflow in `CIccTagTextDescription`. Version 2.3.1.2 contains a patch. No known workarounds are available.
Title iccDEV has unicode buffer overflow in CIccTagTextDescription
Weaknesses CWE-122
CWE-125
CWE-193
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-06T19:36:42.727Z

Reserved: 2025-12-29T14:34:16.006Z

Link: CVE-2026-21491

cve-icon Vulnrichment

Updated: 2026-01-06T19:30:39.320Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-06T19:16:08.907

Modified: 2026-01-12T18:29:22.697

Link: CVE-2026-21491

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T08:15:15Z

Weaknesses