Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below are vulnerable to Type Confusion in its CIccSingleSampledeCurveXml class during XML Curve Serialization. This issue is fixed in version 2.3.1.2.
Published: 2026-01-06
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Potential memory corruption or unintended behavior during XML curve serialization
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from type confusion within the CIccSingleSampledeCurveXml class during XML Curve Serialization. This flaw may allow malformed input to be interpreted incorrectly, potentially leading to memory corruption or execution of unintended code. The weakness is categorized under CWE‑188 (Type Confusion), CWE‑703 (Inheritance Issues), and CWE‑843 (Type Conversion or Cast Errors).

Affected Systems

International Color Consortium's iccDEV library, versions 2.3.1.1 and earlier, are affected. The vendor released a fix in version 2.3.1.2, which remediate the type confusion in the XML serialization component.

Risk and Exploitability

The CVSS score of 6.6 classifies the issue as moderate severity. The EPSS score is below 1%, indicating a low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, attackers would need to supply malicious XML data processed by the affected library, suggesting the risk is primarily local unless the library is exposed through a network interface.

Generated by OpenCVE AI on April 18, 2026 at 08:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade iccDEV to version 2.3.1.2 or newer, which contains the fix for the type confusion flaw.
  • Ensure that any applications or services that perform XML Curve serialization are rebuilt or redeployed using the updated library and revalidate functional tests.
  • If an immediate upgrade is not possible, restrict or disable the CIccSingleSampledeCurveXml functionality, and rigorously validate all XML input used by the library to prevent malformed data from reaching the serialization routine.

Generated by OpenCVE AI on April 18, 2026 at 08:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 14 Jan 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Wed, 07 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Tue, 06 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 06 Jan 2026 14:30:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below are vulnerable to Type Confusion in its CIccSingleSampledeCurveXml class during XML Curve Serialization. This issue is fixed in version 2.3.1.2.
Title iccDEV has Type Confusion during XML Curve Serialization
Weaknesses CWE-188
CWE-703
CWE-843
References
Metrics cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-06T14:33:17.289Z

Reserved: 2025-12-29T14:34:16.006Z

Link: CVE-2026-21493

cve-icon Vulnrichment

Updated: 2026-01-06T14:32:40.723Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-06T15:15:44.983

Modified: 2026-01-14T18:46:59.953

Link: CVE-2026-21493

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T08:15:15Z

Weaknesses