Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a heap-based buffer overflow write in CIccMatrixMath::SetRange() causing memory corruption or crash. This vulnerability is fixed in 2.3.1.5.
Published: 2026-03-10
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

iccDEV, a library suite for ICC color management, contains a heap‑based buffer overflow in the CIccMatrixMath::SetRange() function. When the function writes beyond the bounds of an allocated buffer, the overflow corrupts adjacent heap memory, which can lead to application crashes or other unpredictable behavior. The flaw is an out‑of‑bounds write that violates memory safety and can disrupt color processing tasks, but does not directly provide an execution path for arbitrary code.

Affected Systems

Systems that embed the International Color Consortium’s iccDEV library older than version 2.3.1.5 are susceptible. The fix is included in release 2.3.1.5 and later, so any installation using that or an older version should be identified. The affected code is part of the library’s core mathematical operations used in color management workflows on both desktop and server environments.

Risk and Exploitability

The CVSS score of 5.5 indicates a moderate severity. The EPSS score is below 1%, suggesting a low probability of exploitation at present, and the vulnerability is not cataloged in the CISA KEV database. Attacks would require a local or privileged process that can supply crafted input to the library function, so remote exploitation is unlikely. The primary risk remains denial of service or memory corruption that could compromise applications relying on iccDEV.

Generated by OpenCVE AI on April 16, 2026 at 09:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade iccDEV to version 2.3.1.5 or later, which removes the heap overflow in CIccMatrixMath::SetRange().
  • If an upgrade cannot be performed immediately, restrict the use of iccDEV to trusted data sources and implement input validation to ensure that no data can cause the function to exceed buffer bounds.
  • Keep the system under observation by reviewing crash logs or memory allocation failures and patch the library promptly when a newer secure release becomes available.

Generated by OpenCVE AI on April 16, 2026 at 09:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Tue, 10 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a heap-based buffer overflow write in CIccMatrixMath::SetRange() causing memory corruption or crash. This vulnerability is fixed in 2.3.1.5.
Title iccDEV has a heap-based buffer overflow write in CIccCLUT::Interp3d()
Weaknesses CWE-125
CWE-476
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T19:32:27.085Z

Reserved: 2026-03-07T17:53:48.818Z

Link: CVE-2026-30986

cve-icon Vulnrichment

Updated: 2026-03-10T19:27:53.762Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:18:57.827

Modified: 2026-03-13T20:29:34.387

Link: CVE-2026-30986

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:45:31Z

Weaknesses