The vulnerability arises from a heap out-of-bounds read in the CIccPcsXform::pushXYZConvert() function of the iccDEV library. This flaw allows an attacker to read data beyond the intended buffer, potentially exposing sensitive memory contents and, if triggered, causing an application crash. The weakness is reflected in CWE-122, CWE-125, and CWE-129, indicating improper handling of heap memory, out-of-bounds read, and signed‑to‑unsigned conversion. The result is a compromise of confidentiality and service availability.

Affected products belong to the InternationalColorConsortium's iccDEV suite. Versions prior to 2.3.1.5 are vulnerable. Any deployment using iccDEV on a platform that processes ICC profiles is potentially at risk. The vulnerability is not limited to a specific operating system; it exists in the cross‑platform C++ library itself.

The CVSS base score is 6.1, indicating a medium severity. An EPSS score below 1% implies a low likelihood of widespread exploitation. The vulnerability does not appear in the CISA KEV list, meaning there are no known active exploits exploiting it. The attack vector is not explicitly stated in the advisory; based on the description, it is inferred that an attacker could supply a crafted ICC profile to a process that uses iccDEV, causing the out‑of‑bounds read and potential memory disclosure or crash. Therefore, while the probability of exploitation is low, any system that handles external ICC data should consider the risk when evaluating overall threat posture.