Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a heap-buffer-overflow read in CIccXmlArrayType<>::DumpArray() causing out-of-bounds read and/or crash. This vulnerability is fixed in 2.3.1.5.
Published: 2026-03-10
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Out‑of‑bounds read that may trigger a crash or expose sensitive data
Action: Apply Latest Patch
AI Analysis

Impact

iccDEV libraries contain a heap‑buffer‑overflow read in the CIccXmlArrayType<>::DumpArray() function, allowing an attacker to read memory beyond the intended buffer. This vulnerable code path can lead to a program crash or the disclosure of non‑public information. The issue is classed under CWE‑120, CWE‑125, and CWE‑787, which are all related to heap buffer overreads and related memory corruption weaknesses.

Affected Systems

All installations of International Color Consortium iccDEV older than version 2.3.1.5 are affected. The vulnerability exists in the core library and any tool that imports or processes ICC XML profiles via this function. Version 2.3.1.5 and later include the fix.

Risk and Exploitability

The CVSS score 6.1 categorizes this as a medium severity vulnerability. Exploit probability is low with an EPSS score of less than 1 %. It is not listed in the CISA KEV catalog, indicating no known large‑scale exploited instances. Based on the description, the likely attack vector is local or within any process that loads ICC profiles; an attacker would need to supply crafted XML data to trigger the overflow, thus requiring some level of input control.

Generated by OpenCVE AI on April 16, 2026 at 03:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update iccDEV to version 2.3.1.5 or newer to remove the overread
  • If an update cannot be applied immediately, isolate or disable any functionality that invokes CIccXmlArrayType::DumpArray() in the affected applications
  • Continue monitoring the International Color Consortium security advisories for additional mitigation guidance

Generated by OpenCVE AI on April 16, 2026 at 03:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Tue, 10 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a heap-buffer-overflow read in CIccXmlArrayType<>::DumpArray() causing out-of-bounds read and/or crash. This vulnerability is fixed in 2.3.1.5.
Title iccDEV has a heap-buffer-overflow read in CIccXmlArrayType<>
Weaknesses CWE-120
CWE-125
CWE-787
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T19:32:27.754Z

Reserved: 2026-03-07T17:53:48.817Z

Link: CVE-2026-30981

cve-icon Vulnrichment

Updated: 2026-03-10T19:28:04.214Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:18:57.020

Modified: 2026-03-13T20:28:34.250

Link: CVE-2026-30981

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:45:16Z

Weaknesses