Description
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `CIccProfileXml::ParseBasic()` at `IccXML/IccLibXML/IccProfileXml.cpp`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.
Published: 2026-01-07
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Type confusion leading to potential memory corruption or code execution
Action: Patch Immediately
AI Analysis

Impact

Versions of the iccDEV library before 2.3.1.2 contain a type confusion vulnerability in CIccProfileXml::ParseBasic(). When parsing an ICC color profile, this flaw allows an attacker to construct input that causes the library to treat data as an incorrect type, potentially leading to memory corruption. Such corruption could enable arbitrary code execution, compromise confidentiality, integrity, and availability of the system hosting the library if malicious profiles are processed.

Affected Systems

The International Color Consortium’s iccDEV library is affected. All releases prior to 2.3.1.2 are vulnerable. The patch was integrated in version 2.3.1.2 and later.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation in the short term. The vulnerability is not listed in the CISA KEV catalog, but the type confusion flaw could be leveraged if an attacker can supply or control ICC profiles processed by the application. The likely attack vector is local or remote data injection through crafted ICC profiles supplied by an attacker.

Generated by OpenCVE AI on April 18, 2026 at 16:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the iccDEV library to version 2.3.1.2 or later to apply the vendor patch.
  • If immediate upgrade is not feasible, validate or sanitize any ICC profiles before processing, and isolate the profile parsing component in a sandboxed environment to contain potential exploitation.
  • Conduct an inventory check of all deployed applications to ensure no legacy or earlier versions of iccDEV remain, and institute a patch management routine to keep the library on the latest secure version.

Generated by OpenCVE AI on April 18, 2026 at 16:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 12 Jan 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
Weaknesses CWE-843
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Thu, 08 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Wed, 07 Jan 2026 22:00:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `CIccProfileXml::ParseBasic()` at `IccXML/IccLibXML/IccProfileXml.cpp`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.
Title iccDEV has Type Confusion in CIccProfileXml::ParseBasic() at IccXML/IccLibXML/IccProfileXml.cpp
Weaknesses CWE-190
CWE-20
CWE-232
CWE-476
CWE-690
CWE-754
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-08T14:46:02.908Z

Reserved: 2026-01-02T18:45:27.397Z

Link: CVE-2026-21689

cve-icon Vulnrichment

Updated: 2026-01-08T14:45:56.527Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-07T22:15:45.233

Modified: 2026-01-12T18:25:40.940

Link: CVE-2026-21689

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:00:05Z

Weaknesses