Description
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have Undefined Behavior in `CIccTagLutAtoB::Validate()`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.
Published: 2026-01-07
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Potential code execution or data corruption due to undefined behavior when processing ICC color profiles
Action: Patch immediately
AI Analysis

Impact

The issue originates from undefined behavior in the CIccTagLutAtoB::Validate function of iccDEV. When a profile is processed, the function can read or write memory incorrectly, leading to unpredictable results. This could allow an attacker to corrupt configuration data, cause a crash, or potentially execute arbitrary code if the failure is exploitable in the application using the library. The affected components are the color management libraries that validate ICC profiles, which are used in graphics, imaging, and system settings directories.

Affected Systems

Any installation of the International Color Consortium’s iccDEV library newer than version 1 but older than 2.3.1.2 that loads ICC color profiles. Common targets include graphics editors, operating system display services, and print drivers that rely on ICC profile validation.

Risk and Exploitability

The CVSS score of 7.1 classifies the vulnerability as high severity. The EPSS probability is very low (< 1%), suggesting exploitation attempts are rare or difficult. The vulnerability is not listed in the CISA KEV catalog, and the attack vector likely requires an attacker to supply a crafted ICC profile that is processed by an application linking to the vulnerable library. No known exploit exists at this time, but the undefined behavior creates a high potential for serious impact if abuse occurs.

Generated by OpenCVE AI on April 18, 2026 at 07:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade iccDEV to version 2.3.1.2 or later to eliminate the undefined behavior
  • Ensure that any applications using older library versions are updated or have the library version hard‑coded to the patched release
  • If upgrade is delayed, implement strict validation of ICC profiles and restrict processing to trusted sources to mitigate accidental exploitation

Generated by OpenCVE AI on April 18, 2026 at 07:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 12 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Wed, 07 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 21:45:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have Undefined Behavior in `CIccTagLutAtoB::Validate()`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.
Title iccDEV has Undefined Behavior in CIccTagLutAtoB::Validate()
Weaknesses CWE-20
CWE-758
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-07T21:41:35.418Z

Reserved: 2026-01-02T18:45:27.396Z

Link: CVE-2026-21686

cve-icon Vulnrichment

Updated: 2026-01-07T21:41:30.642Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-07T22:15:44.780

Modified: 2026-01-12T18:12:09.473

Link: CVE-2026-21686

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T08:00:05Z

Weaknesses