Description
iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have aHeap Buffer Overflow vulnerability in the CIccTagXmlSegmentedCurve::ToXml() function. This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2.
Published: 2026-01-24
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Code Execution, DoS, Data Manipulation
Action: Immediate Patch
AI Analysis

Impact

A heap buffer overflow exists in the CIccTagXmlSegmentedCurve::ToXml() function of iccDEV. When user‑controllable data is incorporated unsafely into ICC profile files or other binary blobs, the library can overrun its heap buffer, allowing an attacker to trigger a denial of service, corrupt data, bypass application logic and ultimately execute arbitrary code. The vulnerability corresponds to CWE‑122 and CW‑20 weaknesses.

Affected Systems

The InternationalColorConsortium’s iccDEV library is affected for all releases version 2.3.1.1 and earlier. The issue was addressed in version 2.3.1.2 and later releases.

Risk and Exploitability

The CVSS base score is 8.8, indicating a high‑severity flaw, while the EPSS score of < 1 % suggests a low probability of current exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires supplying a malicious ICC profile or structured binary blob to software that uses iccDEV; the attack vector is thus likely local or remote file input where the attacker can influence the data processed by the library. A successful attack would grant the attacker the ability to crash services, tamper with data, or run arbitrary code within the context of the application using the library.

Generated by OpenCVE AI on April 18, 2026 at 02:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade iccDEV to version 2.3.1.2 or later to apply the vendor‐issued fix.
  • Implement strict validation or sanitization of any user‑supplied ICC profile data before it is passed to iccDEV functions.
  • If an upgrade is not immediately feasible, isolate the untrusted profile processing from critical services or replace iccDEV with a vetted alternative that does not contain the vulnerability.

Generated by OpenCVE AI on April 18, 2026 at 02:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 30 Jan 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Mon, 26 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Sat, 24 Jan 2026 02:00:00 +0000

Type Values Removed Values Added
Description iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have aHeap Buffer Overflow vulnerability in the CIccTagXmlSegmentedCurve::ToXml() function. This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2.
Title iccDEV has Heap Buffer Overflow in icCurvesFromXml()
Weaknesses CWE-122
CWE-20
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-26T16:17:19.746Z

Reserved: 2026-01-22T18:19:49.174Z

Link: CVE-2026-24412

cve-icon Vulnrichment

Updated: 2026-01-26T16:15:48.769Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-24T02:15:49.360

Modified: 2026-01-30T18:25:05.917

Link: CVE-2026-24412

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T03:00:10Z

Weaknesses