Description
iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have a Heap Buffer Overflow vulnerability in CIccMpeCalculator::Read(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2.
Published: 2026-01-24
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

iccDEV includes a heap buffer overflow in the CIccMpeCalculator::Read() function. The flaw is triggered when user‑controllable data in ICC profile files or other structured binary blobs is parsed without proper bounds checking. If exploited, the overflow can corrupt heap memory, allowing an attacker to crash the application for denial of service, manipulate data, bypass application logic, or execute arbitrary code.

Affected Systems

The International Color Consortium product iccDEV is affected. Versions 2.3.1.1 and all earlier releases contain the vulnerability. The fix is available in version 2.3.1.2 and later, which patches the unsafe parsing routine.

Risk and Exploitability

The vulnerability scores 8.8 on CVSS, indicating high severity. EPSS is reported as less than 1%, suggesting that the likelihood of exploitation in the wild is currently low and no known active exploits are documented. The flaw is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is delivering a crafted ICC profile or binary blob to an application that uses iccDEV, which could be achieved remotely if such files are loaded from untrusted sources or locally if the attacker can influence the data supplied to the library. Proper validation of ICC data and application of the patch mitigates both denial‑of‑service and code‑execution risks.

Generated by OpenCVE AI on April 18, 2026 at 15:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade iccDEV to version 2.3.1.2 or later, which resolves the heap overflow flaw.
  • Implement strict input validation for any ICC profile or binary blob before passing it to iccDEV, ensuring that only well‑formed data is processed.
  • As an interim measure, restrict the use of external ICC profiles to trusted sources and disable automatic profile loading in applications until the library upgrade is performed.

Generated by OpenCVE AI on April 18, 2026 at 15:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 30 Jan 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Mon, 26 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Sat, 24 Jan 2026 01:15:00 +0000

Type Values Removed Values Added
Description iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have a Heap Buffer Overflow vulnerability in CIccMpeCalculator::Read(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2.
Title iccDEV has Heap Buffer Overflow in CIccMpeCalculator::Read()
Weaknesses CWE-122
CWE-20
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-26T16:17:38.994Z

Reserved: 2026-01-22T18:19:49.173Z

Link: CVE-2026-24405

cve-icon Vulnrichment

Updated: 2026-01-26T16:15:50.790Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-24T01:15:50.923

Modified: 2026-01-30T18:24:30.327

Link: CVE-2026-24405

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:15:03Z

Weaknesses