Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a heap-based buffer overflow in CIccCalculatorFunc::InitSelectOp() triggered with local user interaction causing memory corruption/crash. This vulnerability is fixed in 2.3.1.5.
Published: 2026-03-10
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Local Heap Buffer Overflow
Action: Immediately Patch
AI Analysis

Impact

A heap-based buffer overflow exists in the CIccCalculatorFunc::InitSelectOp() routine of iccDEV, a library used for processing ICC color management profiles. When a local user supplies specially crafted input, the function fails to validate buffer boundaries, causing uncontrolled memory writes that corrupt heap memory and lead to a crash or potential arbitrary code execution. The flaw is tied to common CWE vulnerabilities involving buffer overflows and memory corruption.

Affected Systems

The bug affects all installations of the InternationalColorConsortium's iccDEV software released prior to version 2.3.1.5. Users running earlier releases of the library that reference CIccCalculatorFunc need to upgrade to the patched version to eliminate the vulnerable code paths.

Risk and Exploitability

The CVSS score of 7.8 classifies the flaw as high severity. Because the trigger requires local user interaction, the exploitability is limited to users who can directly invoke the vulnerable function; however, the potential for memory corruption or arbitrary code execution makes it a serious risk. The EPSS score of less than 1% suggests that current exploitation probability is low, and the vulnerability is not included in the CISA Known Exploited Vulnerabilities catalog, reducing the urgency of immediate detection but still warranting rapid remediation.

Generated by OpenCVE AI on April 16, 2026 at 09:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade all iccDEV installations to version 2.3.1.5 or later.
  • If an upgrade cannot be performed immediately, restrict or disable use of CIccCalculatorFunc::InitSelectOp() for untrusted local users to prevent triggering the buffer overflow.
  • Implement monitoring of application crashes or memory corruption events to detect any attempts to exploit the vulnerability in environments where the patch is pending.

Generated by OpenCVE AI on April 16, 2026 at 09:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Tue, 10 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a heap-based buffer overflow in CIccCalculatorFunc::InitSelectOp() triggered with local user interaction causing memory corruption/crash. This vulnerability is fixed in 2.3.1.5.
Title iccDEV has a heap-based buffer overflow in CIccCalculatorFunc::InitSelectOp()
Weaknesses CWE-120
CWE-122
CWE-787
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T19:32:27.894Z

Reserved: 2026-03-07T17:53:48.817Z

Link: CVE-2026-30979

cve-icon Vulnrichment

Updated: 2026-03-10T19:28:06.308Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:18:56.700

Modified: 2026-03-13T20:28:03.303

Link: CVE-2026-30979

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:45:31Z

Weaknesses