Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have Undefined Behavior in its CIccCLUT::Init function which initializes and sets the size of a CLUT. This issue is fixed in version 2.3.1.1.
Published: 2026-01-06
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Code Execution
Action: Immediate Patch
AI Analysis

Impact

An undefined behavior flaw exists in iccDEV's CIccCLUT::Init function, which allocates and sizes the Color Lookup Table (CLUT). The bug originates from improper input validation (CWE‑20) combined with undefined memory handling (CWE‑758), allowing an attacker to craft a malformed ICC profile that can corrupt the program’s memory. Such corruption can lead to arbitrary code execution or program crashes, compromising confidentiality, integrity, and availability of systems that use the library.

Affected Systems

The vulnerability affects the International Color Consortium’s iccDEV library, specifically versions 2.3.1 and earlier. The issue was corrected in version 2.3.1.1, so any installation of 2.3.1 or older is susceptible.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity, while the EPSS score of <1 % suggests a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. The attack would require an adversary to supply a malicious ICC file to a process that loads the library, implying a local or privileged attacker scenario. While exploit evidence is scarce, the high CVSS and the potential for remote code execution make the risk significant if unpatched.

Generated by OpenCVE AI on April 18, 2026 at 08:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade iccDEV to version 2.3.1.1 or later.
  • Restrict the use of untrusted ICC files or validate them before passing to his library to mitigate input‑related attacks.
  • Apply memory‑safety mechanisms such as stack canaries, address‑space randomization, or runtime sanitizers to reduce the impact of any remaining undefined behavior.

Generated by OpenCVE AI on April 18, 2026 at 08:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 12 Jan 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Tue, 06 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 06 Jan 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Tue, 06 Jan 2026 03:30:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have Undefined Behavior in its CIccCLUT::Init function which initializes and sets the size of a CLUT. This issue is fixed in version 2.3.1.1.
Title iccDEV has Undefined Behavior in CIccCLUT::Init()
Weaknesses CWE-20
CWE-758
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-06T18:56:50.126Z

Reserved: 2026-01-02T18:45:27.395Z

Link: CVE-2026-21677

cve-icon Vulnrichment

Updated: 2026-01-06T14:19:41.864Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-06T04:15:54.397

Modified: 2026-01-12T20:40:01.490

Link: CVE-2026-21677

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T08:30:35Z

Weaknesses