Description
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Prior to 2.3.1.2, There is a heap-based buffer overflow in SIccCalcOp::Describe() at IccProfLib/IccMpeCalc.cpp. This vulnerability affects users of the iccDEV library who process ICC color profiles. The vulnerability is fixed in 2.3.1.2.
Published: 2026-01-13
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Potential Code Execution or Memory Corruption
Action: Apply Patch
AI Analysis

Impact

A heap‑based buffer overflow exists in the function SIccCalcOp::Describe() within the IccProfLib/IccMpeCalc.cpp module of the iccDEV library. Because this function processes the contents of ICC color management profiles, an attacker who can supply a crafted profile may trigger memory corruption that can lead to arbitrary code execution or denial of service; whether code execution is achieved is inferred from the nature of the overflow and similar exploits. The vulnerability is identified as CVE-2026-22861 and is highlighted by the CVSS score of 8.8, indicating a high severity of potential impact on confidentiality, integrity, and availability.

Affected Systems

The issue affects installations of the International Color Consortium’s iccDEV library that are older than version 2.3.1.2. Any application or system that utilizes iccDEV to load or manipulate ICC profiles is within the scope of the vulnerability.

Risk and Exploitability

The CVSS base score of 8.8 reflects a high likelihood that exploitation could compromise the host. EPSS scoring of less than 1% suggests that successful exploitation is not currently widespread, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, because the overflow arises from processing user‑supplied ICC data, an attacker who can control or influence profile inputs—directly or via remote uploads—is capable of exploiting the flaw. The attack does not appear to require privileged access beyond the ability to provide a malicious file to a process that links against iccDEV.

Generated by OpenCVE AI on April 18, 2026 at 16:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update iccDEV to version 2.3.1.2 or later to apply the buffer‑overflow fix.
  • If an upgrade cannot be performed immediately, restrict or quarantine processing of ICC profiles from untrusted or externally supplied sources, implementing bounds‑checking to mitigate CWE‑120 (Buffer Copy without Length Checks) and CWE‑787 (Out‑of‑Bounds Access).
  • Review custom code that handles ICC profiles to add explicit input validation, verify lengths before allocating or using heap buffers, and enforce proper bounds checks to protect against the identified weaknesses identified by the CWE list.

Generated by OpenCVE AI on April 18, 2026 at 16:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 16 Jan 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
Weaknesses CWE-787
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Wed, 14 Jan 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Tue, 13 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 13 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Prior to 2.3.1.2, There is a heap-based buffer overflow in SIccCalcOp::Describe() at IccProfLib/IccMpeCalc.cpp. This vulnerability affects users of the iccDEV library who process ICC color profiles. The vulnerability is fixed in 2.3.1.2.
Title iccDEV has a heap-buffer-overflow in SIccCalcOp::Describe() at IccProfLib/IccMpeCalc.cpp
Weaknesses CWE-120
CWE-130
CWE-252
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-13T21:45:47.596Z

Reserved: 2026-01-12T16:20:16.746Z

Link: CVE-2026-22861

cve-icon Vulnrichment

Updated: 2026-01-13T21:45:29.118Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-13T21:15:54.437

Modified: 2026-01-16T18:46:06.070

Link: CVE-2026-22861

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:30:05Z

Weaknesses