Description
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `ToXmlCurve()` at `IccXML/IccLibXML/IccMpeXml.cpp`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.
Published: 2026-01-07
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Type conflict potentially enabling memory corruption or code execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a type confusion in the IccXML/IccLibXML/IccMpeXml.cpp component of the iccDEV library. The flaw arises in the ToXmlCurve() function when handling ICC color profiles. This leads to improper type conversion and out‑of‑bounds memory access, as indicated by the listed CWEs. The result is a condition that can corrupt memory or change program control flow, which may be leveraged by an attacker to execute arbitrary code or disrupt the integrity of the application processing the profiles.

Affected Systems

All installations of InternationalColorConsortium iccDEV versions earlier than 2.3.1.2 are affected. The issue exists in the core library used to parse and transform ICC profiles and applies to any system that uses these libraries to handle color profiles, regardless of operating system.

Risk and Exploitability

The CVSS score of 8.8 classifies the risk as high. The EPSS score is below 1 %, indicating a low probability of widespread exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to supply a crafted ICC profile to the vulnerable library; this can be achieved through any medium that the application accepts such profiles—email, file uploads, or network exchange. No known mitigations exist until the library is upgraded, so the primary defense is to avoid processing untrusted profiles.

Generated by OpenCVE AI on April 18, 2026 at 16:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the iccDEV library to version 2.3.1.2 or later.
  • Restrict the acceptance of ICC profiles to trusted sources by implementing pre-processing checks or input validation before passing to iccDEV.
  • Implement network and file upload controls to prevent malicious ICC profiles from entering the system, and monitor for anomalies related to color profile handling.

Generated by OpenCVE AI on April 18, 2026 at 16:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 12 Jan 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Fri, 09 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Wed, 07 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `ToXmlCurve()` at `IccXML/IccLibXML/IccMpeXml.cpp`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.
Title iccDEV has Type Confusion in ToXmlCurve() at IccXML/IccLibXML/IccMpeXml.cpp
Weaknesses CWE-20
CWE-588
CWE-704
CWE-843
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-08T18:17:59.546Z

Reserved: 2026-01-02T18:45:27.397Z

Link: CVE-2026-21692

cve-icon Vulnrichment

Updated: 2026-01-08T15:10:31.921Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-07T22:15:45.677

Modified: 2026-01-12T18:27:18.457

Link: CVE-2026-21692

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:00:05Z

Weaknesses