Description
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, stack-based buffer overflow in icFixXml() function when processing malformed ICC profiles, allows potential arbitrary code execution through crafted NamedColor2 tags. This issue has been patched in version 2.3.1.2.
Published: 2026-02-03
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary code execution
Action: Immediate Patch
AI Analysis

Impact

A stack-based buffer overflow in the icFixXml function occurs when malformed ICC profiles containing crafted NamedColor2 tags are processed. This flaw can allow an attacker to execute arbitrary code, potentially compromising confidentiality, integrity, and availability. The vulnerability maps to the stack-based buffer overflow (CWE-121) and out‑of‑bounds memory access (CWE-787) weaknesses.

Affected Systems

International Color Consortium’s iccDEV library is affected. All builds using iccDEV prior to version 2.3.1.2 are vulnerable, including applications that embed the library for ICC profile handling.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity impact. An EPSS score of less than 1% suggests a low likelihood of exploitation in the short term, and the vulnerability is not listed in the CISA KEV catalog. The attack requires delivery of a malicious ICC profile that is processed by an application linked to the vulnerable library. Such a profile could be introduced locally or via a network interface that accepts ICC files, making the attack vector likely local to the system or an application that accepts external profiles.

Generated by OpenCVE AI on April 18, 2026 at 14:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade iccDEV to version 2.3.1.2 or later to apply the patch.
  • If an upgrade is not immediately possible, limit the acceptance of ICC profiles to trusted sources and validate any received profile before processing by iccDEV.
  • If the application can disable ICC profile support, disable that feature to eliminate the vulnerable code path.

Generated by OpenCVE AI on April 18, 2026 at 14:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Wed, 04 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Tue, 03 Feb 2026 19:00:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, stack-based buffer overflow in icFixXml() function when processing malformed ICC profiles, allows potential arbitrary code execution through crafted NamedColor2 tags. This issue has been patched in version 2.3.1.2.
Title iccDEV is vulnerable to stack-buffer-overflow in icFixXml()
Weaknesses CWE-121
CWE-787
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-04T20:09:50.566Z

Reserved: 2026-02-02T18:21:42.485Z

Link: CVE-2026-25502

cve-icon Vulnrichment

Updated: 2026-02-04T20:09:42.444Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-03T19:16:26.963

Modified: 2026-02-10T16:18:43.340

Link: CVE-2026-25502

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T14:15:04Z

Weaknesses