Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have overflows and underflows in CIccXmlArrayType::ParseTextCountNum(). This vulnerability affects users of the iccDEV library who process ICC color profiles. This issue is fixed in version 2.3.1.1.
Published: 2026-01-06
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Memory Corruption / Potential Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in a function that parses the count of array elements in ICC XML profiles. An integer overflow or underflow can occur when this function processes malformed numeric values, leading to a corrupted memory reference. The result may be an application crash (denial of service) or, if the overflow is exploited in a controlled environment, arbitrary code execution. The weakness is a classic integer handling issue. The CVE mentions the fix in a later library release, indicating the impact is tangible for applications that use the iccDEV library when processing user‑supplied ICC profiles.

Affected Systems

Products owned by the International Color Consortium using the iccDEV library, version 2.3.1 and earlier. Users who integrate iccDEV or supply ICC color profiles to any software that relies on this library are affected. The fixed version 2.3.1.1 is available and should replace older releases.

Risk and Exploitability

The CVSS score of 7.8 classifies the vulnerability as high severity. While the EPSS score is below 1%, indicating a low prior probability of exploitation, the ever‑present possibility of an attacker supplying a malicious ICC profile means the risk is real for applications that ingest color profiles from untrusted sources. The vulnerability is not currently listed in the CISA KEV catalog and no public exploits are reported. Exploitation preconditions are minimal: a program that links against iccDEV and loads an ICC profile provided by an attacker. Hence the risk is moderate but warrants immediate mitigation.

Generated by OpenCVE AI on April 18, 2026 at 08:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the iccDEV library to version 2.3.1.1 or later to apply the fix that avoids the integer overflow/underflow in CIccXmlArrayType::ParseTextCountNum().
  • If an upgrade is not immediately possible, limit the loading of ICC profiles to trusted sources only, and reject profiles containing unusually large counts or malformed numeric values. Ensure the application validates profile integrity before processing.
  • Deploy the latest version of iccDEV in all systems that handle ICC profiles, and monitor for any anomalous application crashes or unusual activity that may indicate an attempted exploitation of this integer handling flaw.

Generated by OpenCVE AI on April 18, 2026 at 08:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 12 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Tue, 06 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 06 Jan 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Tue, 06 Jan 2026 02:15:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have overflows and underflows in CIccXmlArrayType::ParseTextCountNum(). This vulnerability affects users of the iccDEV library who process ICC color profiles. This issue is fixed in version 2.3.1.1.
Title iccDEV has Integer Overflow/Underflow in CIccXmlArrayType::ParseTextCountNum()
Weaknesses CWE-190
CWE-681
CWE-704
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-06T19:00:53.347Z

Reserved: 2026-01-02T18:45:27.394Z

Link: CVE-2026-21673

cve-icon Vulnrichment

Updated: 2026-01-06T14:23:29.790Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-06T02:15:45.343

Modified: 2026-01-12T21:03:33.537

Link: CVE-2026-21673

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T08:30:35Z

Weaknesses