A heap-buffer-overflow vulnerability exists in the IccTagXml() function of the iccDEV library, allowing an attacker to supply a crafted ICC profile that overflows an internal buffer during XML tag processing. The overflow can corrupt heap memory, potentially enabling arbitrary code execution or causing the target process to crash, which undermines confidentiality, integrity, or availability of the affected application. The weakness is classified under several CWE identifiers, including buffer over-read and out-of-bounds writes.

International Color Consortium’s iccDEV, a set of libraries and tools for handling ICC color profiles. Versions prior to 2.3.1.2 are affected, with the fix released in that version, as noted by the vendor; no other vendors or product variants are listed as affected.

The CVSS score of 7.8 indicates a high severity, while the EPSS score of less than 1% suggests a very low current exploitation probability. The vulnerability is not present in the CISA Known Exploited Vulnerabilities catalog, implying no publicly documented attacks yet. Exploitation would likely require the attacker to supply a malicious ICC profile to an application linking iccDEV, which may be achievable via compromised user files or injected profiles in remote services. Given the heap nature of the flaw and the absence of documented exploits, the immediate risk is moderate, but the potential for arbitrarily executing code warrants prompt remediation.