Description
iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have Undefined Behavior in icSigCalcOp(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2.
Published: 2026-01-24
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Code Execution
Action: Patch
AI Analysis

Impact

icSigCalcOp in iccDEV triggers undefined behavior when user‑controlled data is inserted into ICC profile blobs. The flaw can lead to denial of service, data tampering, logic bypass, and code execution in contexts where iccDEV parses those profiles. The issue is rooted in improper input validation (CWE‑20) and the resulting undefined behavior (CWE‑758).

Affected Systems

InternationalColorConsortium’s iccDEV library version 2.3.1.1 and any earlier releases are affected. Applications that rely on this library for color management, such as image editors or print workflow tools, are susceptible when they process external ICC profiles.

Risk and Exploitability

The CVSS score of 7.1 indicates significant risk, while the EPSS score of less than 1% and absence from CISA’s KEV catalog suggest a low probability of exploitation. The likely attack vector involves the delivery of crafted ICC profiles to vulnerable applications that use iccDEV; an attacker could trigger denial of service or, depending on the application’s privilege context, execute code. Successful exploitation would depend on the application layer’s exposure to untrusted ICC data.

Generated by OpenCVE AI on April 18, 2026 at 15:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade iccDEV to version 2.3.1.2 or later.
  • Restrict processing of ICC profiles to trusted sources only.
  • Monitor for abnormal crashes or unexpected behavior in systems that use iccDEV.

Generated by OpenCVE AI on April 18, 2026 at 15:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 30 Jan 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Mon, 26 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Sat, 24 Jan 2026 01:15:00 +0000

Type Values Removed Values Added
Description iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have Undefined Behavior in icSigCalcOp(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2.
Title iccDEV has Undefined Behavior in icSigCalcOp()
Weaknesses CWE-20
CWE-758
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-26T17:14:24.684Z

Reserved: 2026-01-22T18:19:49.173Z

Link: CVE-2026-24407

cve-icon Vulnrichment

Updated: 2026-01-26T17:14:20.612Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-24T01:15:51.223

Modified: 2026-01-30T18:24:44.130

Link: CVE-2026-24407

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:15:03Z

Weaknesses