Description
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `CIccSegmentedCurveXml::ToXml()` at `IccXML/IccLibXML/IccMpeXml.cpp`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.
Published: 2026-01-07
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch
AI Analysis

Impact

A type confusion flaw exists in the CIccSegmentedCurveXml::ToXml() function of iccDEV. The incorrect handling of type expectations can corrupt program state when parsing ICC color profiles, enabling an attacker to execute arbitrary code or disrupt the system. The vulnerability may arise when a maliciously crafted profile is provided, so the impact depends on the ability to supply input to the library. Without additional safeguards, exploitation could compromise confidentiality, integrity, or availability of applications that rely on iccDEV.

Affected Systems

The issue affects the International Color Consortium’s iccDEV library for all releases older than 2.3.1.2. Users who process ICC color profiles with these versions are at risk. No other vendors or product versions are listed as affected.

Risk and Exploitability

The CVSS score of 8.8 indicates a high‑severity vulnerability, while the EPSS score of less than 1% suggests a low current probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog, implying it has not yet been observed in widespread exploits. The likely attack vector involves supplying a crafted ICC profile to an application that uses the vulnerable library; successful exploitation could lead to remote code execution.

Generated by OpenCVE AI on April 18, 2026 at 07:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade iccDEV to version 2.3.1.2 or newer to apply the type‑confusion fix.
  • Prior to processing any ICC profile, validate the file against the official ICC schema or use a trusted source to ensure it is not malformed.
  • If an immediate upgrade is not feasible, restrict the library from loading profiles from untrusted sources and quarantine all profiles that fail validation.

Generated by OpenCVE AI on April 18, 2026 at 07:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 12 Jan 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Sat, 10 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Wed, 07 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `CIccSegmentedCurveXml::ToXml()` at `IccXML/IccLibXML/IccMpeXml.cpp`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.
Title iccDEV has Type Confusion in CIccSegmentedCurveXml::ToXml() at IccXML/IccLibXML/IccMpeXml.cpp
Weaknesses CWE-20
CWE-681
CWE-754
CWE-843
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-08T18:17:54.646Z

Reserved: 2026-01-02T18:45:27.397Z

Link: CVE-2026-21693

cve-icon Vulnrichment

Updated: 2026-01-08T15:10:19.125Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-07T22:15:45.830

Modified: 2026-01-12T18:29:02.290

Link: CVE-2026-21693

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T08:00:05Z

Weaknesses