Description
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `SIccCalcOp::ArgsPushed()` at `IccProfLib/IccMpeCalc.cpp`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.
Published: 2026-01-07
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A type confusion flaw in the iccDEV library’s SIccCalcOp::ArgsPushed() routine can corrupt memory and lead to arbitrary code execution when the library processes a specially crafted ICC color profile. The vulnerability is rooted in improper type handling (CWE‑190, CWE‑20, CWE‑476, CWE‑681) and is listed with a CVSS score of 8.8, indicating a high likelihood of causing significant damage if exploited. The impact would include loss of confidentiality, integrity, and availability of any process that loads untrusted profiles, potentially allowing an attacker to execute code with the privileges of the calling process.

Affected Systems

InternationalColorConsortium’s iccDEV library version 2.3.1.2 or newer is unaffected. All earlier releases, particularly 2.3.1.1 and earlier, are vulnerable and may be present in systems that rely on iccDEV to load or edit ICC profiles.

Risk and Exploitability

The vulnerability’s CVSS of 8.8 places it in the high severity range, yet the EPSS score is below 1 %, suggesting that, although exploited, it is not currently a widespread target. The flaw is not listed in CISA’s KEV catalog. Attackers would need to supply a malicious ICC profile to the vulnerable code path; thus the likely vector is local or remote code that processes user‑supplied color profiles. Once the type confusion triggers a memory override, an attacker may achieve code execution or privilege escalation depending on the context in which iccDEV is used.

Generated by OpenCVE AI on April 18, 2026 at 07:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the iccDEV library to version 2.3.1.2 or newer to remove the type‑confusion flaw.
  • Restrict the loading of ICC profiles to trusted sources only, rejecting or sanitizing any that appear malformed before passing them to the library.
  • Monitor application logs or crash reports for unexpected behavior when processing profiles, and be prepared to roll back updates if stability issues arise.

Generated by OpenCVE AI on April 18, 2026 at 07:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 12 Jan 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Thu, 08 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Wed, 07 Jan 2026 22:00:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `SIccCalcOp::ArgsPushed()` at `IccProfLib/IccMpeCalc.cpp`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.
Title iccDEV has Type Confusion in SIccCalcOp::ArgsPushed() at IccProfLib/IccMpeCalc.cpp
Weaknesses CWE-190
CWE-20
CWE-476
CWE-681
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-08T14:47:10.716Z

Reserved: 2026-01-02T18:45:27.397Z

Link: CVE-2026-21688

cve-icon Vulnrichment

Updated: 2026-01-08T14:47:06.099Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-07T22:15:45.087

Modified: 2026-01-12T18:15:23.147

Link: CVE-2026-21688

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T08:00:05Z

Weaknesses