Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have a Heap-based Buffer Overflow in its CIccMBB::Validate function which checks tag data validity. This issue is fixed in version 2.3.1.1.
Published: 2026-01-06
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

The vulnerability is a heap‑based buffer overflow in the CIccMBB::Validate() function of iccDEV. The function validates tag data in ICC color management profiles; an attacker can supply crafted data that overflows a heap buffer, potentially leading to arbitrary code execution or memory corruption. The weakness is identified as CWE‑122, indicating an untrusted input invoked without proper bounds checking, which can compromise confidentiality, integrity, and availability of the affected system.

Affected Systems

InternationalColorConsortium’s iccDEV library and tools are affected, specifically versions 2.3.1 and earlier. The flaw was fixed in version 2.3.1.1. Systems that rely on these libraries to process ICC profiles, especially when accepting untrusted profiles from external sources, are at risk if they have not upgraded.

Risk and Exploitability

The CVSS score of 8.8 classifies the issue as high severity, and the EPSS score of <1% indicates a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet been actively exploited. However, the heap overflow allows a local or remote attacker who can influence the ICC data stream to achieve arbitrary code execution. The attack likely requires the attacker to supply malicious ICC data to a system component that loads or validates profiles.

Generated by OpenCVE AI on April 18, 2026 at 16:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to iccDEV 2.3.1.1 or later to fix the heap overflow.
  • Restrict ICC profile processing to trusted sources and do not load profiles from unverified external inputs.
  • Review and modify application code paths that use CIccMBB::Validate to eliminate handling of untrusted ICC data if an upgrade is not immediately feasible.

Generated by OpenCVE AI on April 18, 2026 at 16:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 12 Jan 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Tue, 06 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 06 Jan 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Tue, 06 Jan 2026 03:30:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have a Heap-based Buffer Overflow in its CIccMBB::Validate function which checks tag data validity. This issue is fixed in version 2.3.1.1.
Title iccDEV has a Heap-based Buffer Overflow in its CIccMBB::Validate() function
Weaknesses CWE-122
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-06T18:57:00.291Z

Reserved: 2026-01-02T18:45:27.395Z

Link: CVE-2026-21676

cve-icon Vulnrichment

Updated: 2026-01-06T14:20:00.778Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-06T04:15:54.250

Modified: 2026-01-12T20:55:47.133

Link: CVE-2026-21676

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:00:05Z

Weaknesses