Description
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV has undefined behavior due to an invalid enum value. This issue has been patched in version 2.3.1.2.
Published: 2026-01-07
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unspecified behavior that may lead to data corruption or service disruption
Action: Apply patch
AI Analysis

Impact

The vulnerability in iccDEV is caused by an invalid enumeration value that triggers undefined behavior in the library code. When an invalid enum is passed to iccDEV functions, the resulting memory access or control flow may become unpredictable, potentially causing application crashes, memory corruption, or other erratic behavior. The underlying weaknesses are reflected by CWE‑20 (Improper Input Validation) and CWE‑843 (Inconsistent Type Conversion or Interpretation).

Affected Systems

The affected product is the InternationalColorConsortium iccDEV library and tools, specifically any releases prior to version 2.3.1.2. Versions 2.3.1.2 and later contain the patch that eliminates the undefined behavior triggered by invalid enum values.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, while the EPSS probability of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is currently not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation would most likely require local access to an application that utilizes iccDEV and provides the opportunity to supply an invalid enumeration value, rather than being reachable via the network. As a result, the overall risk level is moderate but should be mitigated promptly to prevent unintended crashes or data corruption.

Generated by OpenCVE AI on April 18, 2026 at 16:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update iccDEV to version 2.3.1.2 or later.
  • Validate enum values in your code before calling iccDEV functions to avoid passing invalid values.
  • Monitor application logs for abnormal crashes or segmentation faults that may indicate misuse of the library.

Generated by OpenCVE AI on April 18, 2026 at 16:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 12 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Thu, 08 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Wed, 07 Jan 2026 17:30:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV has undefined behavior due to an invalid enum value. This issue has been patched in version 2.3.1.2.
Title iccDEV has Undefined Behavior (UB) - Invalid Enum Value
Weaknesses CWE-20
CWE-843
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-08T19:18:19.744Z

Reserved: 2025-12-29T14:34:16.007Z

Link: CVE-2026-21505

cve-icon Vulnrichment

Updated: 2026-01-08T19:18:09.901Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-07T18:15:54.700

Modified: 2026-01-12T16:35:08.800

Link: CVE-2026-21505

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:00:05Z

Weaknesses