Description
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a heap-buffer-overflow vulnerability in `CIccCLUT::Init()` at `IccProfLib/IccTagLut.cpp`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.
Published: 2026-01-08
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a heap‑buffer‑overflow located in the CIccCLUT::Init() function of the iccDEV library (IccProfLib/IccTagLut.cpp). When a malformed ICC profile is parsed, the library can write beyond the bounds of a heap buffer, corrupting adjacent memory. This corruption can be leveraged by an attacker to execute arbitrary code or crash the application, violating confidentiality, integrity, and availability of the host system.

Affected Systems

InternationalColorConsortium:iccDEV libraries that process ICC color profiles are affected. All releases earlier than version 2.3.1.2 are vulnerable. The patch is included in iccDEV 2.3.1.2 and later, so any installation using those earlier versions must be considered compromised until updated.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity. The EPSS score is less than 1% and the vulnerability is not listed in the CISA KEV catalog, suggesting a low likelihood of immediate exploitation in the wild. However, the attack requires the delivery of a crafted ICC profile to an application that uses iccDEV, which is common in many imaging, printing, and publishing workflows. Because the flaw is a classic heap overflow, it carries the potential for arbitrary code execution once triggered.

Generated by OpenCVE AI on April 18, 2026 at 07:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official update to iccDEV version 2.3.1.2 or later from the International Color Consortium repository or distribution channels.
  • Recompile and redeploy any applications or services that link against iccDEV to ensure the patched library is in use.
  • Limit the processing of ICC profiles to trusted sources, validate profile integrity before loading, and consider sandboxing or disabling profile handling in environments where immediate patching is not feasible.

Generated by OpenCVE AI on April 18, 2026 at 07:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 14 Jan 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Fri, 09 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Thu, 08 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 15:45:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a heap-buffer-overflow vulnerability in `CIccCLUT::Init()` at `IccProfLib/IccTagLut.cpp`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.
Title iccDEV has heap-buffer-overflow in CIccCLUT::Init() at IccProfLib/IccTagLut.cpp
Weaknesses CWE-130
CWE-20
CWE-252
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-08T15:54:58.115Z

Reserved: 2026-01-07T05:19:12.922Z

Link: CVE-2026-22255

cve-icon Vulnrichment

Updated: 2026-01-08T15:54:29.623Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-08T16:16:03.110

Modified: 2026-01-14T18:48:22.507

Link: CVE-2026-22255

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:45:24Z

Weaknesses