Description
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a heap-buffer-overflow in `CIccXmlArrayType::ParseText()`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.
Published: 2026-01-07
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Memory Corruption / Denial of Service
Action: Apply Patch
AI Analysis

Impact

A heap‑buffer‑overflow occurs when the CIccXmlArrayType::ParseText() function processes an ICC color profile. The flaw allows an attacker to corrupt memory, which could lead to a crash or, in the worst case, arbitrary code execution. No explicit documentation confirms code execution, but the overflow is a classic scenario that can be exploited for that purpose.

Affected Systems

The International Color Consortium’s iccDEV library is vulnerable. Any installation using a version earlier than 2.3.1.2 is at risk, because the patch that resolves the overflow was released in that update. Applications that load or manipulate ICC profiles via iccDEV are directly impacted.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, while the EPSS score of less than 1% shows a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker could exploit the issue by supplying a crafted ICC profile to a vulnerable application, which is a local‑execution risk unless the profile can be delivered remotely. The potential impact ranges from denial of service to possible code execution depending on how the memory corruption is leveraged.

Generated by OpenCVE AI on April 18, 2026 at 19:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade iccDEV to version 2.3.1.2 or newer.
  • Validate or filter ICC profiles before processing to guard against malformed input.
  • Run applications that use iccDEV in a sandboxed environment to contain any potential exploitation.

Generated by OpenCVE AI on April 18, 2026 at 19:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 14 Jan 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Wed, 07 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a heap-buffer-overflow in `CIccXmlArrayType::ParseText()`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.
Title iccDEV has heap-buffer-overflow in CIccXmlArrayType::ParseText()
Weaknesses CWE-122
CWE-20
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-07T21:11:35.942Z

Reserved: 2026-01-02T18:45:27.396Z

Link: CVE-2026-21682

cve-icon Vulnrichment

Updated: 2026-01-07T21:11:28.564Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-07T21:16:01.380

Modified: 2026-01-14T18:47:43.933

Link: CVE-2026-21682

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:30:08Z

Weaknesses