Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below contain a Use After Free vulnerability in the CIccXform::Create() function, where it deletes the hint. This issue is fixed in version 2.3.1.1.
Published: 2026-01-06
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Use After Free that can corrupt memory and allow code execution or denial of service
Action: Apply Patch
AI Analysis

Impact

A memory corruption flaw exists in the ICC development libraries where a hint manager object is deleted prematurely during the creation of a transform. This Use After Free condition can lead to crashes and, if an attacker can control the deleted memory’s reuse, can be leveraged for arbitrary code execution. The weakness is categorized as a Use After Free and also indicates improper use of input data during memory management.

Affected Systems

The vulnerability affects the International Color Consortium’s iccDEV libraries version 2.3.1 and earlier. The issue is resolved in version 2.3.1.1 and later releases. No other vendors or product lines are mentioned as impacted.

Risk and Exploitability

The flaw carries a high CVSS score of 9.8, indicating a severe risk, but its EPSS score is less than 1%, suggesting that exploitation is currently rare. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Likely exploitation would require execution of code that loads the affected library, such as through a local application or a specially crafted ICC profile that triggers the vulnerable function.

Generated by OpenCVE AI on April 18, 2026 at 08:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the iccDEV libraries to version 2.3.1.1 or later to eliminate the Use After Free bug
  • If an upgrade is not immediately possible, isolate or remove any software that loads the vulnerable library versions from network exposure, reducing the attack surface
  • After applying the patch, restart all services and applications that use the library to ensure the vulnerable memory is cleared from use
  • Continuously monitor crash reports and logs for evidence of memory corruption that may signal other related issues

Generated by OpenCVE AI on April 18, 2026 at 08:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 12 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Tue, 06 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 06 Jan 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Tue, 06 Jan 2026 02:15:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below contain a Use After Free vulnerability in the CIccXform::Create() function, where it deletes the hint. This issue is fixed in version 2.3.1.1.
Title iccDEV has a Use After Free vulnerability in CIccCmm class via improper hint manager object deletion
Weaknesses CWE-20
CWE-416
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-06T19:00:17.976Z

Reserved: 2026-01-02T18:45:27.395Z

Link: CVE-2026-21675

cve-icon Vulnrichment

Updated: 2026-01-06T14:22:54.254Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-06T02:15:45.643

Modified: 2026-01-12T21:00:31.740

Link: CVE-2026-21675

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T08:30:35Z

Weaknesses