Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a heap-based buffer overflow write in CIccMatrixMath::SetRange() causing memory corruption or crash. This vulnerability is fixed in 2.3.1.5.
Published: 2026-03-10
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Memory corruption or denial of service
Action: Patch Now
AI Analysis

Impact

A heap‑based buffer overflow occurs in the CIccMatrixMath::SetRange() function of the iccDEV library. This flaw can lead to memory corruption and application crashes. The issue maps to CWE‑120, CWE‑122, and CWE‑787, underscoring insufficient bounds checking on heap allocations.

Affected Systems

The vulnerable versions of InternationalColorConsortium's iccDEV library are those earlier than 2.3.1.5. Any application or service that embeds or directly uses these older releases is susceptible to the buffer overflow.

Risk and Exploitability

The CVSS score of 7.8 classifies the vulnerability as high severity. The EPSS score is below 1%, indicating a very low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. The overflow can lead to memory corruption or a crash, which may cause denial of service.

Generated by OpenCVE AI on April 17, 2026 at 11:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the iccDEV library to version 2.3.1.5 or newer.
  • Ensure that all applications and services that depend on iccDEV reference the updated binary and recompile if necessary.
  • If a timely upgrade is not possible, limit ICC profile processing to trusted inputs and consider disabling ICC support in environments where it is not essential to reduce the attack surface.

Generated by OpenCVE AI on April 17, 2026 at 11:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Tue, 10 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a heap-based buffer overflow write in CIccMatrixMath::SetRange() causing memory corruption or crash. This vulnerability is fixed in 2.3.1.5.
Title iccDEV has a heap-based buffer overflow write in CIccMatrixMath::SetRange()
Weaknesses CWE-120
CWE-122
CWE-787
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T19:32:27.218Z

Reserved: 2026-03-07T17:53:48.818Z

Link: CVE-2026-30985

cve-icon Vulnrichment

Updated: 2026-03-10T19:27:55.729Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:18:57.663

Modified: 2026-03-13T20:29:11.863

Link: CVE-2026-30985

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T11:45:06Z

Weaknesses