Description
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to 2.3.1.4, SrcPixel and DestPixel stack buffers overlap in CIccTagMultiProcessElement::Apply() int IccTagMPE.cpp. This vulnerability is fixed in 2.3.1.4.
Published: 2026-02-06
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Potential Memory Overwrite and Arbitrary Code Execution
Action: Patch Immediately
AI Analysis

Impact

A buffer overlap in the CIccTagMultiProcessElement::Apply() function causes src and dest stack buffers to interfere, creating an out‑of‑bounds write that can corrupt memory and potentially allow an attacker to execute arbitrary code or corrupt data managed by the library.

Affected Systems

InternationalColorConsortium’s iccDEV library, any version released before 2.3.1.4, is affected. The vulnerability was fixed in release 2.3.1.4 and later.

Risk and Exploitability

The CVSS score of 7.8 reflects a high severity associated with memory corruption. EPSS indicates a very low exploitation probability (<1%), and the vulnerability is not listed in CISA’s KEV catalog. Exploitation likely requires the attacker to invoke the vulnerable library function within a process that has sufficient privileges, implying a local or application‑level attack vector rather than remote exploitation.

Generated by OpenCVE AI on April 17, 2026 at 22:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to iccDEV v2.3.1.4 or later to remove the source of the buffer overlap.
  • Recompile or relink all dependent applications to ensure they link against the updated library.
  • If an upgrade cannot be performed immediately, restrict the loading of ICC profiles from untrusted sources or disable color management features that rely on the vulnerable library functions.

Generated by OpenCVE AI on April 17, 2026 at 22:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Feb 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
Weaknesses CWE-787
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Fri, 06 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to 2.3.1.4, SrcPixel and DestPixel stack buffers overlap in CIccTagMultiProcessElement::Apply() int IccTagMPE.cpp. This vulnerability is fixed in 2.3.1.4.
Title iccDEV memcpy-param-overlap in CIccTagMultiProcessElement::Apply()
Weaknesses CWE-119
CWE-123
CWE-628
CWE-682
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-06T20:53:17.123Z

Reserved: 2026-02-04T05:15:41.790Z

Link: CVE-2026-25634

cve-icon Vulnrichment

Updated: 2026-02-06T20:53:05.289Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T21:16:18.530

Modified: 2026-02-19T17:55:29.617

Link: CVE-2026-25634

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T22:30:29Z

Weaknesses