Description
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. A vulnerability present in versions prior to 2.3.1.2 affects users of the iccDEV library who process ICC color profiles. It results in heap buffer overflow in `CIccTagLut8::Validate()`. Version 2.3.1.2 contains a patch. No known workarounds are available.
Published: 2026-01-06
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary code execution due to memory corruption
Action: Immediate Patch
AI Analysis

Impact

iccDEV contains a heap buffer overflow in the CIccTagLut8::Validate() routine. If an attacker supplies a malicious ICC profile, the overflow can corrupt adjacent memory and may lead to arbitrary code execution or denial of service. The flaw is a classic buffer overrun, affecting confidentiality, integrity, and availability of systems that process ICC profiles through this library.

Affected Systems

International Color Consortium’s iccDEV library, versions prior to 2.3.1.2. The patch was released in version 2.3.1.2, fully addressing the overflow. Applications that depend on iccDEV for color management are affected.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity. EPSS is below 1%, suggesting that exploitation is unlikely at present, and the flaw is not listed in CISA’s KEV catalog. Attackers would need to supply a crafted ICC profile to a vulnerable application; while this can be achieved locally or remotely if the application accepts user‑supplied profiles, the lack of a known public exploit remains a mitigated risk.

Generated by OpenCVE AI on April 18, 2026 at 08:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update iccDEV to version 2.3.1.2 or later.
  • Ensure all applications that link to iccDEV use the updated library version.
  • Restrict or validate ICC profiles from untrusted sources until the update is deployed.

Generated by OpenCVE AI on April 18, 2026 at 08:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 12 Jan 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Wed, 07 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Tue, 06 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 06 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. A vulnerability present in versions prior to 2.3.1.2 affects users of the iccDEV library who process ICC color profiles. It results in heap buffer overflow in `CIccTagLut8::Validate()`. Version 2.3.1.2 contains a patch. No known workarounds are available.
Title iccDEV has heap buffer overflow in CIccTagLut8::Validate()
Weaknesses CWE-122
CWE-125
CWE-193
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-06T19:25:12.331Z

Reserved: 2025-12-29T14:34:16.006Z

Link: CVE-2026-21494

cve-icon Vulnrichment

Updated: 2026-01-06T19:24:43.348Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-06T19:16:09.077

Modified: 2026-01-12T18:29:53.877

Link: CVE-2026-21494

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T08:15:15Z

Weaknesses