Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a heap out-of-bounds read in CIccCalculatorFunc::ApplySequence() causing an application crash. This vulnerability is fixed in 2.3.1.5.
Published: 2026-03-10
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Application Crash (Denial of Service)
Action: Apply Patch
AI Analysis

Impact

A heap out‑of‑bounds read occurs in the CIccCalculatorFunc::ApplySequence() function of iccDEV, causing the application that uses this library to crash. The vulnerability is a classic memory corruption flaw (CWE-125 and CWE-129) that leads to a denial‑of‑service rather than code execution or data exfiltration. The impact is limited to any process that loads and processes ICC profiles with the affected library, resulting in abrupt termination of that process.

Affected Systems

International Color Consortium’s iccDEV library earlier than version 2.3.1.5 is susceptible. The fix is incorporated in release 2.3.1.5, available for all supported platforms. All systems that integrate iccDEV without upgrading before this version may experience crashes when processing certain ICC profiles.

Risk and Exploitability

The CVSS score of 6.1 places this vulnerability in the moderate severity range. The EPSS score is reported as less than 1%, indicating a very low probability of exploitation in the wild, and there is no indication it has been listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is the use of a crafted ICC profile that triggers the out‑of‑bounds read, which is a local or application‑level exploit. While the flaw does not grant attacker control of code or data, it can be abused to perform denial‑of‑service attacks against services handling color profiles.

Generated by OpenCVE AI on April 16, 2026 at 03:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update iccDEV to version 2.3.1.5 or later to eliminate the heap out‑of‑bounds read.
  • If an immediate update is not possible, ensure that the application using iccDEV logs crashes and implements graceful fallback or error handling to prevent the entire service from terminating.
  • Verify that any critical services dependent on ICC profiles are isolated or sandboxed so that a single crash does not propagate to other components.

Generated by OpenCVE AI on April 16, 2026 at 03:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Tue, 10 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a heap out-of-bounds read in CIccCalculatorFunc::ApplySequence() causing an application crash. This vulnerability is fixed in 2.3.1.5.
Title iccDEV has a heap out-of-bounds read in CIccCalculatorFunc::ApplySequence()
Weaknesses CWE-125
CWE-129
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T19:32:27.359Z

Reserved: 2026-03-07T17:53:48.817Z

Link: CVE-2026-30984

cve-icon Vulnrichment

Updated: 2026-03-10T19:27:57.617Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:18:57.503

Modified: 2026-03-13T20:29:03.477

Link: CVE-2026-30984

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:45:16Z

Weaknesses