Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. In versions up to and including 2.3.1.4, signed integer overflow in iccFromCube.cpp during multiplication triggers undefined behavior, potentially causing crashes or incorrect ICC profile generation when processing crafted/large cube inputs. Commit 43ae18dd69fc70190d3632a18a3af2f3da1e052a fixes the issue. No known workarounds are available.
Published: 2026-02-25
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Crash or incorrect ICC profile generation
Action: Update library
AI Analysis

Impact

Integer overflow in iccFromCube.cpp during multiplication can trigger undefined behavior, which may lead to application crashes or the creation of invalid ICC color profiles when processing crafted or excessively large cube inputs.

Affected Systems

Vulnerable versions of the InternationalColorConsortium’s iccDEV library up to and including 2.3.1.4 are affected. The vulnerability exists in the iccFromCube module that parses cube data used for color profiling.

Risk and Exploitability

The CVSS score of 6.2 reflects moderate severity, while an EPSS score of less than 1% indicates a very low likelihood of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. Attack would require an attacker to supply a malicious ICC profile that includes a large cube to an application that relies on iccDEV for profile handling; thus the vector is likely local or depends on the ability to deliver crafted input to software that uses the library.

Generated by OpenCVE AI on April 18, 2026 at 10:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade iccDEV to a version that includes the patch from commit 43ae18dd69fc70190d3632a18a3af2f3da1e052a, such as the latest release after 2.3.1.4.
  • Recompile any applications that link to the library against the updated iccDEV binary to ensure they use the fixed code path.
  • Implement input validation or size limits on cube data before passing it to the iccFromCube parser as a temporary safeguard until the library update can be applied.

Generated by OpenCVE AI on April 18, 2026 at 10:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Wed, 25 Feb 2026 14:45:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools for working with ICC color management profiles. In versions up to and including 2.3.1.4, signed integer overflow in iccFromCube.cpp during multiplication triggers undefined behavior, potentially causing crashes or incorrect ICC profile generation when processing crafted/large cube inputs. Commit 43ae18dd69fc70190d3632a18a3af2f3da1e052a fixes the issue. No known workarounds are available.
Title iccDEV has SIO in parse3DTable() at iccFromCube.cpp Line 218
Weaknesses CWE-190
CWE-681
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-25T20:42:19.363Z

Reserved: 2026-02-23T17:56:51.201Z

Link: CVE-2026-27691

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T15:20:52.553

Modified: 2026-02-26T15:50:36.843

Link: CVE-2026-27691

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:45:43Z

Weaknesses