Description
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, type confusion allowed malformed ICC profiles to trigger undefined behavior when loading invalid icImageEncodingType values causing denial of service. This issue has been patched in version 2.3.1.2.
Published: 2026-02-03
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

The vulnerability stems from type confusion in the CIccTagEmbeddedHeightImage::Validate method, enabling maliciously crafted ICC profiles to trigger undefined behavior when icImageEncodingType values are invalid. This causes the application to crash, resulting in a denial of service. The weakness is a classic example of type confusion that leads to memory corruption or misuse of data types.

Affected Systems

International Color Consortium’s iccDEV library is affected, specifically any release before version 2.3.1.2. Users running older releases that load ICC profiles without an updated library are at risk.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity; however, the EPSS score is below 1%, suggesting a low but non‑zero likelihood of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog, and the patch available in version 2.3.1.2 mitigates the issue. The most likely attack vector involves an adversary supplying a crafted ICC profile to a system or application that processes such files, leading to a service interruption.

Generated by OpenCVE AI on April 18, 2026 at 00:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade iccDEV to version 2.3.1.2 or later.
  • Validate ICC profile files for correct icImageEncodingType before invoking the Library’s loading routine, rejecting any malformed profiles.
  • Restrict ICC profile inputs to trusted sources and enforce file integrity checks prior to processing with iccDEV.

Generated by OpenCVE AI on April 18, 2026 at 00:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Wed, 04 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Tue, 03 Feb 2026 19:00:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, type confusion allowed malformed ICC profiles to trigger undefined behavior when loading invalid icImageEncodingType values causing denial of service. This issue has been patched in version 2.3.1.2.
Title iccDEV Has Type Confusion in CIccTagEmbeddedHeightImage::Validate()
Weaknesses CWE-704
CWE-843
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-04T20:21:15.764Z

Reserved: 2026-02-02T18:21:42.485Z

Link: CVE-2026-25503

cve-icon Vulnrichment

Updated: 2026-02-04T20:21:06.943Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-03T19:16:27.127

Modified: 2026-02-10T16:18:55.040

Link: CVE-2026-25503

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:15:31Z

Weaknesses