Description
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have Undefined Behavior in `CIccTagLut16::Read()`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.
Published: 2026-01-07
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local Code Execution
Action: Patch Now
AI Analysis

Impact

The vulnerability arises from undefined behavior within the CIccTagLut16::Read() function of the iccDEV library. Processing an ICC color profile that contains anomalous or malicious tag data may cause the library to access invalid memory or operate on uninitialized variables, potentially leading to memory corruption and Local Code Execution. The weakness is represented by CWE-20 (Improper Input Validation) and CWE-758 (Undefined Behavior).

Affected Systems

The affected product is the iccDEV library, produced by the International Color Consortium. Versions earlier than 2.3.1.2 are vulnerable, including all releases that handle ICC profiles. Applications that load or parse ICC profiles using the vulnerable library are at risk.

Risk and Exploitability

The CVSS score is 7.1, indicating high severity. EPSS is less than 1%, suggesting a very low probability of exploitation, and the vulnerability is not listed in CISA's KEV catalog. Based on the description, it is inferred that an attacker can supply a crafted ICC profile to the vulnerable library, either by making a user open a malicious file or through a service that automatically processes ICC data. The absence of bounds checking in CIccTagLut16::Read() makes the vulnerability exploitable locally without additional prerequisites, though successful exploitation depends on the library parsing the tainted profile.

Generated by OpenCVE AI on April 18, 2026 at 19:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to iccDEV version 2.3.1.2 or later to apply the fixed undefined behavior in CIccTagLut16::Read().
  • Validate ICC profiles before processing and reject any that contain malformed or unexpected tag data to mitigate potential exploitation.
  • Continuously monitor official advisory channels for updates and apply future patches promptly to maintain protection.

Generated by OpenCVE AI on April 18, 2026 at 19:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 12 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Wed, 07 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 21:45:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have Undefined Behavior in `CIccTagLut16::Read()`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.
Title iccDEV has Undefined Behavior in CIccTagLut16::Read()
Weaknesses CWE-20
CWE-758
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-07T21:42:21.742Z

Reserved: 2026-01-02T18:45:27.396Z

Link: CVE-2026-21685

cve-icon Vulnrichment

Updated: 2026-01-07T21:42:16.980Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-07T22:15:44.627

Modified: 2026-01-12T18:08:58.880

Link: CVE-2026-21685

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:30:08Z

Weaknesses