Description
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to heap buffer overflow in the ToneMap parser. This issue has been patched in version 2.3.1.2.
Published: 2026-01-07
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Heap Buffer Overflow
Action: Immediate Patch
AI Analysis

Impact

icdev provides libraries that handle ICC color profiles. A heap buffer overflow exists in the ToneMap parser in all releases before 2.3.1.2. When parsing an ICC profile, the overflow can corrupt memory adjacent to the buffer, potentially leading to unpredictable behavior or denial of service. The vulnerability is a classic off‑by‑one or out‑of‑bounds write, as identified by the CWEs "CWE‑122", "CWE‑193", and "CWE‑787".

Affected Systems

All builds of iccDEV older than version 2.3.1.2 are affected. The impact applies to any application that incorporates iccDEV for color management, such as image editing suites, printing workflows, and other software that processes ICC profiles. The vendor is the International Color Consortium.

Risk and Exploitability

The CVSS score is 6.6, reflecting a moderate severity. EPSS is listed as less than 1%, indicating a low probability of real‑world exploitation at this time. The vulnerability is not in the CISA KEV catalog. Based on the function where the overflow occurs, the likely attack vector is local or remote via a crafted ICC file, inferred from the fact that the parser operates on file input. Because the library may be bundled in many applications, a malicious ICC profile could potentially compromise any host that loads it. The advice is to apply the patch promptly while monitoring for anomalous activity.

Generated by OpenCVE AI on April 18, 2026 at 16:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade iccDEV to version 2.3.1.2 or later to apply the vendor fix.
  • For software that cannot be updated immediately, restrict the loading of ICC profiles to trusted directories or disable the ToneMap parser for untrusted input.
  • Implement logging or monitoring of ICC profile processing to detect abnormal patterns that may indicate exploitation attempts.

Generated by OpenCVE AI on April 18, 2026 at 16:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 09 Jan 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Wed, 07 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 17:30:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to heap buffer overflow in the ToneMap parser. This issue has been patched in version 2.3.1.2.
Title Heap Buffer Overflow in iccDEV ToneMap Parser
Weaknesses CWE-122
CWE-193
CWE-787
References
Metrics cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-07T18:18:35.652Z

Reserved: 2025-12-29T14:34:16.007Z

Link: CVE-2026-21504

cve-icon Vulnrichment

Updated: 2026-01-07T18:18:28.921Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-07T18:15:54.537

Modified: 2026-01-09T21:34:19.607

Link: CVE-2026-21504

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:00:05Z

Weaknesses