Description
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Undefined Behavior runtime error. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.
Published: 2026-01-07
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Undefined behavior during ICC profile processing
Action: Apply Patch
AI Analysis

Impact

iccDEV contains an undefined behavior runtime error triggered when a NaN value is detected outside its expected range in IccProfLib/IccTagBasic.cpp. This flaw can cause unpredictable application behavior, including crashes or incorrect processing of ICC profiles, potentially affecting the integrity of color management operations.

Affected Systems

The issue affects all releases of the International Color Consortium iccDEV library earlier than version 2.3.1.2. Users operating those legacy versions and processing ICC color profiles are at risk.

Risk and Exploitability

The vulnerability has a CVSS score of 7.1, indicating moderate to high severity, but its EPSS score is below 1%, suggesting low current exploitation probability. It is not listed in the CISA KEV catalog. Attackers would need to supply a crafted ICC profile to trigger the undefined behavior, making the exploit likely local or confined to applications that load user‑supplied profiles.

Generated by OpenCVE AI on April 18, 2026 at 07:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the iccDEV library to version 2.3.1.2 or later to apply the vendor’s patch.
  • Control the source of ICC profiles and enforce strict validation or sandboxing of profile processing to reduce the exposure to malformed data.
  • Maintain a monitoring strategy for application crashes or unexpected behavior to detect potential exploitation attempts.

Generated by OpenCVE AI on April 18, 2026 at 07:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 14 Jan 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Wed, 07 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 21:00:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Undefined Behavior runtime error. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.
Title iccDEV has Undefined Behavior runtime error: nan is outside the range .. IccProfLib/IccTagBasic.cpp
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-07T21:33:46.973Z

Reserved: 2026-01-02T18:45:27.396Z

Link: CVE-2026-21681

cve-icon Vulnrichment

Updated: 2026-01-07T21:33:44.148Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-07T21:16:01.227

Modified: 2026-01-14T18:47:10.307

Link: CVE-2026-21681

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T08:00:05Z

Weaknesses