Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a heap-use-after-free in CIccCmm::AddXform() causing invalid vptr dereference and crash. This vulnerability is fixed in 2.3.1.5.
Published: 2026-03-10
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

The flaw is a heap‑use‑after‑free in the iccDEV library’s CIccCmm::AddXform() function, which can cause a program to dereference a freed object and crash. The advisory reports only an application terminate scenario, so the documented impact is a denial‑of‑service condition. No evidence of code execution or privilege escalation is provided, so the impact remains limited to service disruption.

Affected Systems

International Color Consortium’s iccDEV libraries and tools before version 2.3.1.5 are vulnerable. Any deployment that uses these earlier releases, particularly those that invoke CIccCmm::AddXform(), is affected.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity, but the EPSS score of less than 1% suggests a very low likelihood of exploitation, and the issue is not listed in the CISA KEV catalog. The advisory does not describe a successful exploit path; therefore, it appears to be an internal crash rather than an externally exploitable payload. Attackers would need to supply input that triggers the AddXform() routine in a context that can manipulate the freed memory to pose a risk beyond denial of service.

Generated by OpenCVE AI on April 16, 2026 at 03:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade iccDEV to version 2.3.1.5 or later to apply the heap‑use‑after‑free fix.
  • If an upgrade cannot be performed immediately, avoid invoking CIccCmm::AddXform() in your application or restrict its use to trusted input only.
  • Review any code that dynamically loads or processes ICC profiles and ensure that inputs are validated to prevent potential dereference of dangling pointers.

Generated by OpenCVE AI on April 16, 2026 at 03:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Tue, 10 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a heap-use-after-free in CIccCmm::AddXform() causing invalid vptr dereference and crash. This vulnerability is fixed in 2.3.1.5.
Title Heap-use-after-free in CIccCmm::AddXform()
Weaknesses CWE-416
CWE-672
CWE-825
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T19:32:28.062Z

Reserved: 2026-03-07T17:53:48.817Z

Link: CVE-2026-30978

cve-icon Vulnrichment

Updated: 2026-03-10T19:28:08.200Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:18:56.537

Modified: 2026-03-13T20:27:31.860

Link: CVE-2026-30978

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:45:16Z

Weaknesses