Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a stack buffer overflow in icFixXml() (strcpy) causing stack memory corruption or crash. This vulnerability is fixed in 2.3.1.5.
Published: 2026-03-10
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Stack Buffer Overflow – Memory Corruption
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in the icFixXml() function of the iccDEV libraries, where a strcpy call copies input without bounds checking. By providing a crafted ICC profile, an attacker can overflow the stack buffer, resulting in memory corruption that may crash the process or corrupt adjacent stack data. The CVE description states only stack memory corruption or crash, with no indication of arbitrary code execution.

Affected Systems

International Color Consortium’s iccDEV libraries and tools before version 2.3.1.5 are affected. All releases newer than 2.3.1.5 contain the patch that removes the unsafe strcpy and prevents the overflow.

Risk and Exploitability

The vulnerability scores 7.8 on the CVSS score and has an EPSS probability of less than 1 %. It is not listed in the CISA KEV catalog, indicating no confirmed exploited public attacks. Likely exploitation requires the supply of a maliciously crafted ICC profile that triggers icFixXml(), which suggests a local or remote vector that can be exercised by any user or service parsing such profiles. With moderate to high severity and a low probability of exploitation, the risk remains significant for systems that routinely process untrusted ICC profiles.

Generated by OpenCVE AI on April 17, 2026 at 11:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade iccDEV to version 2.3.1.5 or later, following the release notes on GitHub for the applied patch.
  • If an upgrade is not immediately possible, restrict the use or deny loading of ICC profiles from untrusted or external sources until the patch is applied.
  • When processing ICC profiles, enforce strict input validation or limit the size of the input to prevent buffer overflows.

Generated by OpenCVE AI on April 17, 2026 at 11:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Tue, 10 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a stack buffer overflow in icFixXml() (strcpy) causing stack memory corruption or crash. This vulnerability is fixed in 2.3.1.5.
Title iccDEV has a stack buffer overflow in icFixXml()
Weaknesses CWE-120
CWE-121
CWE-787
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T19:32:27.497Z

Reserved: 2026-03-07T17:53:48.817Z

Link: CVE-2026-30983

cve-icon Vulnrichment

Updated: 2026-03-10T19:27:59.589Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:18:57.343

Modified: 2026-03-13T20:28:51.160

Link: CVE-2026-30983

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T11:45:06Z

Weaknesses