Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below contain a memory leak vulnerability in its XML MPE Parsing Path (iccFromXml). This issue is fixed in version 2.3.1.1.
Published: 2026-01-06
Score: 3.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Memory Leak leading to possible denial of service
Action: Patch
AI Analysis

Impact

iccDEV contains a memory leak in the CIccProfileXml::ParseTag() error path used during XML MPE parsing. When malformed XML is processed, the routine fails to release allocated memory, causing a gradual increase in usage. Repeated exploitation can exhaust system memory, crashing the application or any dependent services and resulting in a denial‑of‑service condition.

Affected Systems

The issue affects the InternationalColorConsortium’s iccDEV library, specifically versions 2.3.1 and earlier. The fix was introduced in version 2.3.1.1, which is not affected.

Risk and Exploitability

The CVSS score of 3.3 indicates low severity, and the EPSS score of less than 1 % suggests a very low likelihood of real‑world exploitation. The vulnerability requires the attacker to supply crafted XML data to the iccDEV parser; the likely attack vector is through local or remote applications that import untrusted ICC profiles. The vulnerability is not listed in the CISA KEV catalog, but continuous monitoring is advisable due to the denial‑of‑service risk.

Generated by OpenCVE AI on April 18, 2026 at 20:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to iccDEV version 2.3.1.1 or later to eliminate the memory leak.
  • If an upgrade is not immediately possible, restrict the parser’s use to trusted input sources or isolate the service so that malformed profiles cannot affect critical applications.
  • Ensure proper memory handling when interfacing with iccDEV by validating that all dynamically allocated memory is deallocated correctly (CWE‑401).

Generated by OpenCVE AI on April 18, 2026 at 20:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 12 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Tue, 06 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 06 Jan 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Tue, 06 Jan 2026 02:15:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below contain a memory leak vulnerability in its XML MPE Parsing Path (iccFromXml). This issue is fixed in version 2.3.1.1.
Title iccDEV has a Memory Leak in its CIccProfileXml::ParseTag() Error Path
Weaknesses CWE-401
References
Metrics cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-06T19:00:41.835Z

Reserved: 2026-01-02T18:45:27.395Z

Link: CVE-2026-21674

cve-icon Vulnrichment

Updated: 2026-01-06T14:23:20.163Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-06T02:15:45.503

Modified: 2026-01-12T21:02:37.677

Link: CVE-2026-21674

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T20:15:09Z

Weaknesses