Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a segmentation fault due to invalid/wild pointer read in CIccCalculatorFunc::ApplySequence() causing denial of service. This vulnerability is fixed in 2.3.1.5.
Published: 2026-03-10
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

The flaw is a segmentation fault caused by an invalid or wild pointer read within CIccCalculatorFunc::ApplySequence(), which results in the process crashing and causing a denial of service. This type of out‑of‑bounds read is classified as CWE‑125 and can be triggered when the function processes malformed or unexpected data.

Affected Systems

International Color Consortium’s iccDEV libraries and tools, specifically all releases prior to version 2.3.1.5. The fix was introduced in release 2.3.1.5 and later, making those newer iterations safe from the fault.

Risk and Exploitability

The CVSS score of 5.5 indicates a moderate severity, and the EPSS score of less than 1% reflects a very low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. While the exact attack vector is not detailed in the advisory, it is inferred that the fault would be exercised when the vulnerable function is invoked, potentially through loading a crafted ICC profile or otherwise providing unexpected data to the library. This suggests that attackers with local or application‑level access could trigger the crash, leading to service interruption.

Generated by OpenCVE AI on April 16, 2026 at 03:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade iccDEV to version 2.3.1.5 or later, which contains the patch for the pointer/read bug.
  • If the upgrade cannot be performed immediately, run any applications that use iccDEV with the least privilege possible to limit the impact of a crash.
  • Set up monitoring to detect unhandled segmentation faults in applications that depend on iccDEV, and isolate affected services so that a single crash does not bring down the entire system.

Generated by OpenCVE AI on April 16, 2026 at 03:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Tue, 10 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a segmentation fault due to invalid/wild pointer read in CIccCalculatorFunc::ApplySequence() causing denial of service. This vulnerability is fixed in 2.3.1.5.
Title iccDEV has a SEGV in CIccCalculatorFunc::ApplySequence()
Weaknesses CWE-125
CWE-703
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T19:32:26.656Z

Reserved: 2026-03-09T16:33:42.912Z

Link: CVE-2026-31793

cve-icon Vulnrichment

Updated: 2026-03-10T19:27:47.567Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:18:59.573

Modified: 2026-03-13T20:30:30.350

Link: CVE-2026-31793

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:45:16Z

Weaknesses