Description
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Versions prior to 2.3.1.2 have an undefined behavior issue when floating-point NaN values are converted to unsigned short integer types during ICC profile XML parsing potentially corrupting memory structures and enabling arbitrary code execution. This vulnerability affects users of the iccDEV library who process ICC color profiles. ICC Profile Injection vulnerabilities arise when user-controllable input is incorporated into ICC profile data or other structured binary blobs in an unsafe manner. Version 2.3.1.2 contains a fix for the issue. No known workarounds are available.
Published: 2026-01-28
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

This vulnerability arises from an undefined behavior in iccDEV’s XML parsing routine, where NaN floating‑point values are converted to unsigned short integer types without proper checks. The lack of validation allows memory structures to be corrupted, which in turn can lead to arbitrary code execution. The weakness is characterized by multiple CWE entries (CWE‑20, CWE‑681, CWE‑704).

Affected Systems

Applications that rely on the International Color Consortium’s iccDEV library, particularly those that process ICC color profiles, are affected. Any deployment using iccDEV versions earlier than 2.3.1.2 is vulnerable. The fix is incorporated starting with version 2.3.1.2; later releases carry the same patch.

Risk and Exploitability

With a CVSS score of 7.8, the vulnerability is deemed high severity, but the EPSS score of less than 1% indicates a low likelihood of exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. Attackers would need to deliver a crafted ICC profile that includes NaN values to the target application, a scenario that is feasible when the library is used to process user‑supplied color data. Because the issue originates in a runtime conversion, exploitation can occur without special privileges, making the risk significant for software that accepts external ICC profiles.

Generated by OpenCVE AI on April 18, 2026 at 01:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade iccDEV to version 2.3.1.2 or later, which includes the fix for the NaN conversion issue.
  • Configure applications to reject or sanitize ICC profiles that contain NaN values, or disable profile processing for untrusted sources.
  • Review and test code paths that handle ICC profile XML parsing to ensure bounds checking and type conversion safeguards are in place.

Generated by OpenCVE AI on April 18, 2026 at 01:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 03 Feb 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Thu, 29 Jan 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Wed, 28 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 28 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Versions prior to 2.3.1.2 have an undefined behavior issue when floating-point NaN values are converted to unsigned short integer types during ICC profile XML parsing potentially corrupting memory structures and enabling arbitrary code execution. This vulnerability affects users of the iccDEV library who process ICC color profiles. ICC Profile Injection vulnerabilities arise when user-controllable input is incorporated into ICC profile data or other structured binary blobs in an unsafe manner. Version 2.3.1.2 contains a fix for the issue. No known workarounds are available.
Title iccDEV has UB runtime error in <icTagTypeSignature>
Weaknesses CWE-20
CWE-681
CWE-704
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-28T21:34:21.551Z

Reserved: 2026-01-27T14:51:03.061Z

Link: CVE-2026-24856

cve-icon Vulnrichment

Updated: 2026-01-28T21:34:16.351Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-28T21:16:13.247

Modified: 2026-02-03T14:07:59.610

Link: CVE-2026-24856

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T01:45:33Z

Weaknesses