Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a stack overflow in CIccBasicStructFactory::CreateStruct() causing uncontrolled recursion/stack exhaustion and crash. This vulnerability is fixed in 2.3.1.5.
Published: 2026-03-10
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

iccDEV contains a stack overflow vulnerability in the CIccBasicStructFactory::CreateStruct() function. The flaw causes uncontrolled recursion and stack exhaustion, leading to a crash. This is a classic stack overflow (CWE-121) coupled with resource exhaustion (CWE-400) and improper control flow handling (CWE-674). The primary impact is a denial of service as the error terminates the process that is handling ICC profiles.

Affected Systems

The issue affects the International Color Consortium’s iccDEV library and associated tools on all versions released prior to 2.3.1.5. Version 2.3.1.5 and later include the fix, removing the vulnerable recursion path.

Risk and Exploitability

CVSS indicates a moderate severity of 5.5, while the EPSS score is below 1%, implying a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation would likely require an attacker to supply a specially crafted ICC profile or otherwise trigger the recursive parsing path in a context where the library is loaded, which may be limited to environments that dynamically process ICC data. Given the low exploitation probability and the nature of the crash, the risk remains primarily a local denial of service rather than a remote code execution vector.

Generated by OpenCVE AI on April 16, 2026 at 03:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade iccDEV to version 2.3.1.5 or later, which removes the recursion that causes stack exhaustion.
  • If an upgrade cannot be performed immediately, validate all ICC profiles before processing and isolate the application so that crashes do not affect other services.
  • Monitor for unexpected process termination and apply any future patches or vendor advisories as they become available.

Generated by OpenCVE AI on April 16, 2026 at 03:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Tue, 10 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a stack overflow in CIccBasicStructFactory::CreateStruct() causing uncontrolled recursion/stack exhaustion and crash. This vulnerability is fixed in 2.3.1.5.
Title iccDEV has a stack overflow in CIccBasicStructFactory::CreateStruct()
Weaknesses CWE-121
CWE-400
CWE-674
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T19:32:25.781Z

Reserved: 2026-03-07T17:53:48.817Z

Link: CVE-2026-30980

cve-icon Vulnrichment

Updated: 2026-03-10T19:27:34.647Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:18:56.863

Modified: 2026-03-13T20:28:15.340

Link: CVE-2026-30980

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:45:16Z

Weaknesses