Description
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to heap-buffer-overflow in CIccLocalizedUnicode::GetText(). This issue has been patched in version 2.3.1.2.
Published: 2026-01-07
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Memory Corruption (potential Remote Code Execution)
Action: Patch Immediately
AI Analysis

Impact

A heap-buffer-overflow exists in the CIccLocalizedUnicode::GetText() function of the InternationalColorConsortium’s iccDEV libraries. The flaw allows the contents of a heap buffer to be read or written beyond its bounds, which can corrupt program state, cause crashes, or enable arbitrary code execution depending on the attacker’s payload. The vulnerability is classified as CWE‑20 (Improper Input Validation) and CWE‑787 (Out-of-Bounds Write).

Affected Systems

The affected product is International Color Consortium’s iccDEV, a library used for handling ICC color management profiles. Versions prior to 2.3.1.2 are vulnerable.

Risk and Exploitability

This vulnerability has a CVSS score of 8.8, indicating high severity, while its EPSS score is below one percent, suggesting a very low current exploitation likelihood. The issue is not listed in CISA’s KEV catalog. The flaw arises when an application parses an ICC profile through the CIccLocalizedUnicode::GetText() routine; the overflow can corrupt memory, potentially leading to arbitrary code execution or service disruption. The attack vector is likely local or remote via crafted ICC files, as the description does not specify remote network access. Mitigation requires applying the patched library.

Generated by OpenCVE AI on April 18, 2026 at 19:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade iccDEV to version 2.3.1.2 or newer.
  • Rebuild or update applications that link to iccDEV to ensure they use the patched version.
  • Restrict access to ICC profile files and validate them before processing; implement sandboxing for profile parsing to limit impact.

Generated by OpenCVE AI on April 18, 2026 at 19:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 09 Jan 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
Weaknesses CWE-787
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Wed, 07 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 17:30:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to heap-buffer-overflow in CIccLocalizedUnicode::GetText(). This issue has been patched in version 2.3.1.2.
Title iccDEV has heap-buffer-overflow vulnerability in CIccLocalizedUnicode::GetText()
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-07T18:24:47.787Z

Reserved: 2026-01-02T18:45:27.396Z

Link: CVE-2026-21679

cve-icon Vulnrichment

Updated: 2026-01-07T18:24:30.218Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-07T18:15:55.143

Modified: 2026-01-09T21:34:28.597

Link: CVE-2026-21679

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T20:00:09Z

Weaknesses