Description
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.3, there is a stack-buffer-overflow vulnerability in CIccTagFloatNum<>::GetValues(). This is triggered when processing a malformed ICC profile. The vulnerability allows an out-of-bounds write on the stack, potentially leading to memory corruption, information disclosure, or code execution when processing specially crafted ICC files. This issue has been patched in version 2.3.1.3.
Published: 2026-02-04
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Memory corruption potentially leading to code execution
Action: Apply Patch
AI Analysis

Impact

iccDEV, a library suite for interacting with ICC color management profiles, contains a stack-based buffer overflow in the method CIccTagFloatNum::GetValues() in all releases prior to 2.3.1.3. The flaw is triggered when a malformed ICC profile is parsed, causing an out-of-bounds write on the stack that may corrupt memory, leak sensitive data, or allow an attacker to execute arbitrary code. The issue is classified under CWE‑119, CWE‑121, CWE‑787, and CWE‑788, indicating typical buffer overflow weaknesses.

Affected Systems

The vulnerability affects the International Color Consortium’s iccDEV product. All versions released before 2.3.1.3 are susceptible; the fix is available starting with the 2.3.1.3 release.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity, while the EPSS of <1% reflects a low exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require an attacker to supply a specially crafted ICC file to an application that processes such profiles, making it a local or remote file-based attack depending on how the application uses iccDEV. Once triggered, the stack overflow could lead to memory corruption and potentially full code execution, presenting a significant but currently low likelihood risk.

Generated by OpenCVE AI on April 17, 2026 at 23:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update iccDEV to version 2.3.1.3 or later to apply the official fix.
  • Ensure that applications using iccDEV validate ICC profiles against trusted sources before processing to reduce the risk of a malformed file triggering the vulnerability.
  • If an immediate update is not feasible, restrict the execution of ICC processing modules or disable ICC support for untrusted input until the patch can be applied.

Generated by OpenCVE AI on April 17, 2026 at 23:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Thu, 05 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Feb 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Wed, 04 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.3, there is a stack-buffer-overflow vulnerability in CIccTagFloatNum<>::GetValues(). This is triggered when processing a malformed ICC profile. The vulnerability allows an out-of-bounds write on the stack, potentially leading to memory corruption, information disclosure, or code execution when processing specially crafted ICC files. This issue has been patched in version 2.3.1.3.
Title iccDEV vulnerable to Stack-based Buffer Overflow in CIccTagFloatNum::GetValues()
Weaknesses CWE-119
CWE-121
CWE-787
CWE-788
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-05T15:08:25.732Z

Reserved: 2026-02-03T01:02:46.715Z

Link: CVE-2026-25584

cve-icon Vulnrichment

Updated: 2026-02-05T15:08:15.037Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T22:16:01.683

Modified: 2026-02-18T18:37:23.603

Link: CVE-2026-25584

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:15:30Z

Weaknesses