CVE-2026-22046 - Vulnerability Details

- iccDEV has heap-buffer-overflow in CIccProfileXml::ParseBasic() at IccXML/IccLibXML/IccProfileXml.cpp

Description

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a heap-buffer-overflow vulnerability in `CIccProfileXml::ParseBasic()` at `IccXML/IccLibXML/IccProfileXml.cpp`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.

Published: 2026-01-07

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Versions of iccDEV before 2.3.1.2 contain a heap-buffer-overflow in CIccProfileXml::ParseBasic() when parsing ICC color profiles. The flaw may result in memory corruption, application crashes, or, if exploited, arbitrary code execution. The vulnerability is listed under multiple CWEs, including buffer overflow and unchecked assignment.

Affected Systems

The International Color Consortium’s iccDEV library is affected, specifically all releases prior to 2.3.1.2. Users of the library who process ICC profiles are at risk.

Risk and Exploitability

The CVSS score of 8.8 signals a high severity level, and the EPSS score of less than 1% suggests a low current exploitation probability. The vulnerability is not currently catalogued in CISA’s KEV list. An attacker would need to supply a crafted ICC profile that is parsed by an application using the vulnerable library; the attack vector is inferred to be local or remote depending on the application’s context, but the description does not state limitations, so it is considered potentially exploitable whenever untrusted profiles can be processed.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

InternationalColorConsortium

iccDEV

affected

Version	Status	Constraints
`< 2.3.1.2`	affected	—

Configuration 1 [-]

cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Internationalcolorconsortium	Iccdev	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade iccDEV to version 2.3.1.2 or later.
Refuse or sandbox ICC profiles from untrusted sources until the update is applied.
Add input validation and bounds checks when handling ICC data to guard against buffer overflows.

Generated by OpenCVE AI on April 18, 2026 at 07:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00099.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/InternationalColorConsortium/iccDEV/issues/448
https://github.com/InternationalColorConsortium/iccDEV/pull/451
https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-7v4q-mhr2-hj7r

History

Wed, 14 Jan 2026 18:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Color Color iccdev
Weaknesses		CWE-787
CPEs		cpe:2.3:a:color:iccdev::::::::
Vendors & Products		Color Color iccdev

Fri, 09 Jan 2026 12:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 08 Jan 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Internationalcolorconsortium Internationalcolorconsortium iccdev
Vendors & Products		Internationalcolorconsortium Internationalcolorconsortium iccdev

Wed, 07 Jan 2026 22:15:00 +0000

Type	Values Removed	Values Added
Description		iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a heap-buffer-overflow vulnerability in `CIccProfileXml::ParseBasic()` at `IccXML/IccLibXML/IccProfileXml.cpp`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.
Title		iccDEV has heap-buffer-overflow in CIccProfileXml::ParseBasic() at IccXML/IccLibXML/IccProfileXml.cpp
Weaknesses		CWE-130 CWE-20 CWE-252 CWE-843
References		https://github.com/InternationalColorConsortium/iccDEV/issues/448 https://github.com/InternationalColorConsortium/iccDEV/pull/451 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-7v4q-mhr2-hj7r
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}`

Subscriptions

Color Iccdev

Internationalcolorconsortium Iccdev

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-01-07T22:02:58.282Z

Updated: 2026-01-08T18:17:49.958Z

Reserved: 2026-01-05T22:30:38.720Z

Link: CVE-2026-22046

Vulnrichment

Updated: 2026-01-08T15:10:04.462Z

NVD

Status : Analyzed

Published: 2026-01-07T22:15:45.977

Modified: 2026-01-14T18:44:13.930

Link: CVE-2026-22046

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T08:00:05Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object