Description
iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. In versions 2.3.1.1 and below, an integer overflow vulnerability exists in icValidateStatus CIccProfile::CheckHeader() when user-controllable input is incorporated into profile data unsafely. Tampering with tag tables, offsets, or size fields can trigger parsing errors, memory corruption, or DoS, potentially enabling arbitrary Code Execution or bypassing application logic. This issue has been fixed in version 2.3.1.2.
Published: 2026-01-24
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

The vulnerability is an integer overflow in the CIccProfile::CheckHeader() routine of iccDEV. When a victim loads a profile containing user-controllable tag tables, offsets, or size fields, the overflow can lead to parsing errors, memory corruption, or a denial of service. The corrupted memory state could be exploited to execute arbitrary code or to bypass normal application logic. The weakness is reflected by the CWE identifiers for integer overflow and improper input validation.

Affected Systems

International Color Consortium’s iccDEV libraries and tools are affected. All releases up to and including version 2.3.1.1 are vulnerable. Version 2.3.1.2 contains the fix and is the recommended minimum version to use.

Risk and Exploitability

The CVSS score of 7.1 indicates substantial impact and the EPSS score of less than 1% suggests that, while exploitation does occur in the wild, it is currently rare. The vulnerability is not listed in the CISA KEV catalog, so there are no known large-scale campaigns targeting it. Attackers would likely craft a malicious ICC profile that an application accepts, making the attack vector likely local or remote depending on how the profile is delivered. Because the flaw can lead to arbitrary code execution, organizations should treat it as high risk when the affected software processes untrusted input.

Generated by OpenCVE AI on April 18, 2026 at 03:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update iccDEV to version 2.3.1.2 or later
  • If an immediate upgrade is not possible, restrict the source of ICC profiles to trusted sources or validate profile structure before processing
  • Apply application‑level checks for tag tables, offsets, and size fields to prevent integer overflows
  • Monitor for indicators of compromise related to memory corruption or unexpected application crashes

Generated by OpenCVE AI on April 18, 2026 at 03:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 30 Jan 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Mon, 26 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Sat, 24 Jan 2026 01:15:00 +0000

Type Values Removed Values Added
Description iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. In versions 2.3.1.1 and below, an integer overflow vulnerability exists in icValidateStatus CIccProfile::CheckHeader() when user-controllable input is incorporated into profile data unsafely. Tampering with tag tables, offsets, or size fields can trigger parsing errors, memory corruption, or DoS, potentially enabling arbitrary Code Execution or bypassing application logic. This issue has been fixed in version 2.3.1.2.
Title iccDEV Undefined Behavior in CIccProfile::CheckHeader() Leads to Integer Overflow
Weaknesses CWE-190
CWE-20
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-26T16:17:48.768Z

Reserved: 2026-01-22T18:19:49.173Z

Link: CVE-2026-24403

cve-icon Vulnrichment

Updated: 2026-01-26T16:14:34.602Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-24T01:15:50.620

Modified: 2026-01-30T18:23:11.460

Link: CVE-2026-24403

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T03:15:35Z

Weaknesses