Description
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.3, there is a heap buffer overflow (read) vulnerability in CIccIO::WriteUInt16Float() when converting malformed XML to ICC profiles via iccFromXml tool. This issue has been patched in version 2.3.1.3.
Published: 2026-02-04
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Memory read corruption potentially leading to information disclosure or application instability
Action: Patch
AI Analysis

Impact

The flaw is a heap buffer overflow in the iccDEV library that occurs when the iccFromXml tool parses malformed XML into ICC profiles. The overflow reads beyond the intended buffer, potentially exposing sensitive data or causing application instability. This weakness can be exploited to bypass integrity checks and exhibit memory corruption or a crash, affecting confidentiality and availability of the system.

Affected Systems

All installations of the International Color Consortium’s iccDEV libraries and tools that use the CIccIO module, before the fix was released in version 2.3.1.3, are vulnerable. The issue does not affect later releases.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity, but the very low EPSS score suggests a small chance of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog as of the last update. Exploitation requires delivery of crafted XML to the iccFromXml utility, which is typically a local operation but could be triggered automatically in applications that process user‑provided ICC data. Attackers might exploit this by positioning malicious XML in a location that the tool reads, thereby achieving memory corruption or a crash.

Generated by OpenCVE AI on April 18, 2026 at 13:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update iccDEV to version 2.3.1.3 or later to eliminate the heap buffer overflow vulnerability.
  • Ensure all components that use CIccIO::WriteUInt16Float(), including iccFromXml, are updated to the patched version and rebuild any dependent applications to remove the risk.
  • If a patch cannot be applied immediately, restrict execution of iccFromXml to trusted inputs only, disable automated XML conversion where possible, and run the tool with the least privileges possible.

Generated by OpenCVE AI on April 18, 2026 at 13:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Feb 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Thu, 05 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Feb 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Wed, 04 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.3, there is a heap buffer overflow (read) vulnerability in CIccIO::WriteUInt16Float() when converting malformed XML to ICC profiles via iccFromXml tool. This issue has been patched in version 2.3.1.3.
Title iccDEV vulnerable to Heap Buffer Overflow in CIccIO::WriteUInt16Float()
Weaknesses CWE-119
CWE-122
CWE-787
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-05T15:10:38.717Z

Reserved: 2026-02-03T01:02:46.715Z

Link: CVE-2026-25582

cve-icon Vulnrichment

Updated: 2026-02-05T15:10:32.633Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T22:16:01.393

Modified: 2026-02-18T18:48:30.107

Link: CVE-2026-25582

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T13:45:45Z

Weaknesses