Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have an infinite loop in the IccProfile.cpp function, CalcProfileID. This issue is fixed in version 2.3.1.1.
Published: 2026-01-06
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via infinite loop in the calculation of profile identifiers
Action: Immediate Patch
AI Analysis

Impact

The vulnerability lies in the CalcProfileID function within iccDEV’s IccProfile.cpp source. An infinite loop condition triggers when processing profile identifiers, causing the application or library to become unresponsive. The weakness is classified as CWE‑835, which directly leads to a denial of service; confidentiality and integrity are not impacted, and exploitation results in halted processing rather than data exposure.

Affected Systems

The affected product is the InternationalColorConsortium iccDEV library. Versions up to and including 2.3.1 contain the issue. The defect was corrected in release 2.3.1.1.

Risk and Exploitability

With a CVSS score of 7.5, the vulnerability is considered high severity. The EPSS score of less than 1% indicates a very low likelihood of exploitation in current threat data. The vulnerability is not listed in the CISA KEV catalog, reinforcing that it is not actively exploited. Based on the description, the attack vector is likely local or requires an attacker to invoke the library with crafted inputs. An attacker could trigger the infinite loop by causing the CalcProfileID function to receive problematic data, after which the process would consume CPU resources indefinitely until terminated.

Generated by OpenCVE AI on April 18, 2026 at 08:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade iccDEV to version 2.3.1.1 or newer.
  • If an upgrade is not possible, apply the patch from commit 3f3ce789d0d2b608c194ed172fa38943519dc198 to fix the infinite loop in IccProfile.cpp.
  • Monitor process CPU usage to detect and terminate stalled instances that may be caused by the vulnerability.

Generated by OpenCVE AI on April 18, 2026 at 08:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 12 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Tue, 06 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 06 Jan 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Tue, 06 Jan 2026 00:30:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have an infinite loop in the IccProfile.cpp function, CalcProfileID. This issue is fixed in version 2.3.1.1.
Title iccDEV is Vulnerable to Denial of Service via Infinite Loop in CalcProfileID()
Weaknesses CWE-835
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-06T19:01:38.488Z

Reserved: 2025-12-29T14:34:16.008Z

Link: CVE-2026-21507

cve-icon Vulnrichment

Updated: 2026-01-06T14:24:21.712Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-06T01:16:01.917

Modified: 2026-01-12T21:04:26.417

Link: CVE-2026-21507

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T08:30:35Z

Weaknesses