Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a stack buffer overflow in CIccTagNum<>::GetValues() causing stack memory corruption or crash. This vulnerability is fixed in 2.3.1.5.
Published: 2026-03-10
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Stack Buffer Overflow causing memory corruption or crash
Action: Apply Patch
AI Analysis

Impact

The vulnerability lies in the CIccTagNum<>::GetValues() routine of the iccDEV library, where an ICC tag value is copied into a buffer without proper bounds checking. This results in a stack buffer overflow that can corrupt stack memory or trigger a crash. The flaw is classified as a memory corruption weakness (CWE-120, CWE-121, CWE-787). If exploited with a malicious ICC profile, an attacker could potentially hijack program flow or cause a denial of service by terminating the process.

Affected Systems

The product affected is iccDEV, a collection of C and C++ libraries and tools for ICC color profile handling developed by the International Color Consortium. Versions earlier than 2.3.1.5 are vulnerable; the 2.3.1.5 release contains the applicable fix.

Risk and Exploitability

The CVSS score of 7.8 signals high severity, and the EPSS score under 1% indicates a low but non‑zero likelihood of exploitation. No publicly confirmed exploits are listed in CISA’s KEV catalog. The flaw is likely triggered by parsing a crafted ICC file, so the attack vector involves supplying a malicious profile to any application that processes ICC data with the vulnerable library.

Generated by OpenCVE AI on April 17, 2026 at 11:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade iccDEV to 2.3.1.5 or later to apply the stack‑buffer‑overflow fix.
  • Update all applications and dependent libraries that link against older iccDEV versions.
  • If an immediate upgrade is not possible, limit ICC profile processing to trusted, verified sources and perform integrity checks before loading the files.

Generated by OpenCVE AI on April 17, 2026 at 11:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Tue, 10 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a stack buffer overflow in CIccTagNum<>::GetValues() causing stack memory corruption or crash. This vulnerability is fixed in 2.3.1.5.
Title iccDEV has a stack buffer overflow in CIccTagNum<(icTagTypeSignature)>::GetValues()
Weaknesses CWE-120
CWE-121
CWE-787
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T19:32:26.962Z

Reserved: 2026-03-07T17:53:48.818Z

Link: CVE-2026-30987

cve-icon Vulnrichment

Updated: 2026-03-10T19:27:51.701Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:18:58.003

Modified: 2026-03-13T20:29:44.410

Link: CVE-2026-30987

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T11:45:06Z

Weaknesses