Description
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.3, there is a heap buffer overflow vulnerability in CIccFileIO::Read8() when processing malformed ICC profile files via unchecked fread operation. This issue has been patched in version 2.3.1.3.
Published: 2026-02-04
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Local Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a heap buffer overflow in CIccFileIO::Read8() that occurs when processing malformed ICC profile files. The unchecked fread operation can overwrite memory, potentially leading to arbitrary code execution on the local system.

Affected Systems

Affected systems are installations of the International Color Consortium's iccDEV library whose version is earlier than 2.3.1.3. Any application that uses this library to read or manipulate ICC profiles may be exposed.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity, but the EPSS score of less than 1% shows that exploitation is currently rare. The vulnerability is not listed in the CISA KEV catalog. It can be exploited by supplying a crafted ICC profile file to a program that loads it, making the attack vector likely local or a medium‑risk network file acquisition. Management should prioritize applying the 2.3.1.3 patch to eliminate the risk.

Generated by OpenCVE AI on April 18, 2026 at 13:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update iccDEV to version 2.3.1.3 or later.
  • Ensure that all applications using iccDEV reference the updated library.
  • If an immediate upgrade is not possible, restrict the source of ICC profile files to trusted inputs and validate files before processing.

Generated by OpenCVE AI on April 18, 2026 at 13:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Feb 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Thu, 05 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Feb 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Wed, 04 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.3, there is a heap buffer overflow vulnerability in CIccFileIO::Read8() when processing malformed ICC profile files via unchecked fread operation. This issue has been patched in version 2.3.1.3.
Title iccDEV vulnerable to Heap Buffer Overflow in CIccFileIO::Read8()
Weaknesses CWE-119
CWE-122
CWE-787
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-05T15:09:54.550Z

Reserved: 2026-02-03T01:02:46.715Z

Link: CVE-2026-25583

cve-icon Vulnrichment

Updated: 2026-02-05T15:09:46.616Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T22:16:01.540

Modified: 2026-02-18T18:47:01.090

Link: CVE-2026-25583

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T13:45:45Z

Weaknesses