Description
iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have a Heap Buffer Overflow vulnerability in CIccTagNamedColor2::SetSize(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2.
Published: 2026-01-24
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Code Execution
Action: Immediate Patch
AI Analysis

Impact

A heap buffer overflow exists in the CIccTagNamedColor2::SetSize function of the iccDEV library, caused when user‑controlled data is incorporated into ICC profile files or other structured binary blobs. A successful exploit can trigger a denial of service, permit data tampering, bypass application logic, and ultimately enable arbitrary code execution.

Affected Systems

The vulnerability affects InternationalColorConsortium’s iccDEV, specifically all releases up to and including 2.3.1.1. The bug was fixed in version 2.3.1.2; applications that embed iccDEV in color‑management workflows should verify that they are running an unaffected version.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, while the EPSS score is below 1 %, suggesting a low likelihood of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires the ability to supply or influence ICC profile data processed by an application using iccDEV, making the attack vector a trusted or untrusted profile loading scenario.

Generated by OpenCVE AI on April 18, 2026 at 18:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade iccDEV to version 2.3.1.2 or later to eliminate the vulnerability.
  • If an upgrade is not currently possible, restrict ICC profile loading to trusted sources and perform pre‑validation of profile size and structure before processing.
  • Configure monitoring to detect crashes or anomalous behavior when handling ICC profiles and alert administrators of potential exploitation attempts.

Generated by OpenCVE AI on April 18, 2026 at 18:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 30 Jan 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Mon, 26 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Sat, 24 Jan 2026 01:15:00 +0000

Type Values Removed Values Added
Description iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have a Heap Buffer Overflow vulnerability in CIccTagNamedColor2::SetSize(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2.
Title iccDEV has Heap Buffer Overflow in CIccTagNamedColor2::SetSize()
Weaknesses CWE-122
CWE-20
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-26T17:16:51.333Z

Reserved: 2026-01-22T18:19:49.173Z

Link: CVE-2026-24406

cve-icon Vulnrichment

Updated: 2026-01-26T17:15:23.201Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-24T01:15:51.073

Modified: 2026-01-30T18:24:36.017

Link: CVE-2026-24406

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:00:08Z

Weaknesses