Description
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.3, there is a vulnerability IccCmm.cpp:5793 when reading through index during ICC profile processing. The malformed ICC profile triggers improper array bounds validation in the color management module, resulting in an out-of-bounds read that can lead to memory disclosure or segmentation fault from accessing memory beyond the array boundary. This issue has been patched in version 2.3.1.3.
Published: 2026-02-04
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Out-of-bounds read resulting in memory disclosure or crash
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in iccDEV arises from an improper array bounds validation when parsing a malformed ICC profile in IccCmm.cpp:5793. This defect allows an attacker to provoke an out-of-bounds read, potentially exposing sensitive memory contents or causing a segmentation fault. The weakness is associated with several buffer-overflow related weaknesses including improper bounds checking, signed to unsigned conversion errors, and invalid memory reads.

Affected Systems

The affected product is the iccDEV library released by International Color Consortium. All versions prior to 2.3.1.3 are vulnerable; the issue was addressed in release 2.3.1.3 and later.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation in the near term. The vulnerability is not currently listed in the CISA KEV catalog. An attacker could exploit the flaw by supplying a crafted ICC profile to any application that processes profiles through the iccDEV library, potentially leading to information disclosure or denial of service. The exploit requires the victim to parse the malicious profile, which may occur in professional imaging, printing, or graphics workflows.

Generated by OpenCVE AI on April 17, 2026 at 23:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade iccDEV to version 2.3.1.3 or later, which contains the official patch for the out-of-bounds read.
  • If an upgrade is not immediately possible, validate ICC profiles against the ICC specification or reject profiles that fail integrity checks before passing them to the library.
  • Implement runtime monitoring of applications using iccDEV to detect abnormal crashes or memory access violations, and isolate or quarantine affected processes if repeated failures occur.

Generated by OpenCVE AI on April 17, 2026 at 23:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Thu, 05 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Feb 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Wed, 04 Feb 2026 22:30:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.3, there is a vulnerability IccCmm.cpp:5793 when reading through index during ICC profile processing. The malformed ICC profile triggers improper array bounds validation in the color management module, resulting in an out-of-bounds read that can lead to memory disclosure or segmentation fault from accessing memory beyond the array boundary. This issue has been patched in version 2.3.1.3.
Title iccDEV vulnerable to OOB in CIccXform3DLut::Apply()
Weaknesses CWE-119
CWE-125
CWE-129
CWE-787
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-05T15:07:43.492Z

Reserved: 2026-02-03T01:02:46.715Z

Link: CVE-2026-25585

cve-icon Vulnrichment

Updated: 2026-02-05T15:06:36.191Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T23:15:56.220

Modified: 2026-02-18T18:12:31.050

Link: CVE-2026-25585

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:15:30Z

Weaknesses