Description
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to stack overflow in the calculator parser. This issue has been patched in version 2.3.1.2.
Published: 2026-01-07
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local code execution potential via crafted ICC profile
Action: Apply patch
AI Analysis

Impact

Stack overflow occurs in iccDEV's calculator parser when parsing ICC calculation expressions. Malicious input can corrupt the stack, potentially leading to arbitrary code execution or denial of service. The flaw stems from improper input validation and an out‑of‑bounds write, as indicated by CWE‑20 and CWE‑787.

Affected Systems

All installations of iccDEV prior to version 2.3.1.2 are affected. The affected component is the iccDEV library that processes ICC color profiles. Enterprises that rely on iccDEV for managing ICC profiles, for instance in imaging, publishing or printing workflows, need to verify their version and upgrade if necessary.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate risk. The EPSS probability is below 1%, suggesting exploitation is unlikely at present. The vulnerability is not listed in CISA's KEV catalog. The flaw is a local stack buffer overflow, so it requires an attacker to supply a crafted ICC profile to the parser. If the profile originates from an untrusted source, the risk escalates.

Generated by OpenCVE AI on April 18, 2026 at 08:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade iccDEV to version 2.3.1.2 or later.
  • If upgrade is not possible, disable ICC profile parsing or restrict the usage of the vulnerable calculator parser to trusted inputs only.
  • Implement additional input validation to reject malformed or excessively large calculation expressions before parsing.

Generated by OpenCVE AI on April 18, 2026 at 08:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 09 Jan 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
Weaknesses CWE-787
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Wed, 07 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 17:30:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to stack overflow in the calculator parser. This issue has been patched in version 2.3.1.2.
Title Stack Overflow in iccDEV Calculator Parser
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-07T18:22:09.246Z

Reserved: 2025-12-29T14:34:16.007Z

Link: CVE-2026-21501

cve-icon Vulnrichment

Updated: 2026-01-07T18:22:03.343Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-07T18:15:54.100

Modified: 2026-01-09T21:33:44.810

Link: CVE-2026-21501

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T08:15:15Z

Weaknesses