Description
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to stack overflow in the XML calculator macro expansion. This issue has been patched in version 2.3.1.2.
Published: 2026-01-07
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stack Overflow in XML calculator macro expansion
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a stack overflow that occurs when the XML calculator macro expansion processes malicious input. The overflow corrupts memory and can lead to application crashes. The weakness is classified under several CWEs, including buffer overflow and unchecked input.

Affected Systems

The flaw affects the International Color Consortium's iccDEV library on any release older than version 2.3.1.2. Systems that load iccDEV to parse or manipulate ICC profiles and XML representations are at risk.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild as of this analysis. The vulnerability is not listed in CISA's KEV catalog. The attack vector is inferred to be remote, relying on an adversary's ability to supply crafted XML input to a component that uses iccDEV. If the application accepts untrusted XML from external sources, the risk escalates.

Generated by OpenCVE AI on April 18, 2026 at 16:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update your iccDEV installation to version 2.3.1.2 or later on all systems that use the library.
  • Restart any services or applications that load iccDEV so that the new binaries are in effect.
  • Conduct a brief security test of XML processing flows with malformed payloads to confirm that the stack overflow no longer occurs.

Generated by OpenCVE AI on April 18, 2026 at 16:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 09 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
Weaknesses CWE-787
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Wed, 07 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 17:30:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to stack overflow in the XML calculator macro expansion. This issue has been patched in version 2.3.1.2.
Title Stack Overflow in iccDEV XML Calculator Macro Expansion
Weaknesses CWE-1119
CWE-20
CWE-400
CWE-674
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-07T18:21:34.592Z

Reserved: 2025-12-29T14:34:16.007Z

Link: CVE-2026-21500

cve-icon Vulnrichment

Updated: 2026-01-07T18:21:29.655Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-07T18:15:53.950

Modified: 2026-01-09T22:00:11.603

Link: CVE-2026-21500

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:00:05Z

Weaknesses