Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a segmentation fault from invalid/wild pointer read in CIccCLUT::Interp3d() causing a denial of service. This vulnerability is fixed in 2.3.1.5.
Published: 2026-03-10
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via Segmentation Fault
Action: Patch Upgrade
AI Analysis

Impact

ic cDEV contains a bug in the CIccCLUT::Interp3d() routine that triggers a segmentation fault when a wild or invalid pointer is dereferenced. The resulting crash causes a denial of service by terminating the process that is handling the ICC profile. This flaw is a classic out‑of‑bounds read (CWE‑125) coupled with a use‑after‑free condition (CWE‑703).

Affected Systems

The vulnerability affects all installations of International Color Consortium’s iccDEV library prior to version 2.3.1.5. Systems that compile or link against iccDEV, such as color management tools or imaging applications that load ICC profiles, are susceptible if they use a version older than the released patch.

Risk and Exploitability

The CVSS score of 5.5 places the issue in the medium severity range, and an EPSS score of less than 1% indicates a very low probability of exploitation in the wild. The CVE is not listed in the CISA KEV catalog. The likely attack path involves an attacker supplying a malicious ICC profile that forces the vulnerable library to read an out‑of‑bounds or freed pointer, leading to a crash. No external access vector is required; exploitation is confined to the local process that loads the profile. While the impact is limited to a denial of service for that process, repeated crashes could degrade system availability, especially in high‑throughput or unattended environments.

Generated by OpenCVE AI on April 16, 2026 at 03:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade iccDEV to the patched release 2.3.1.5 or later
  • If upgrading is not immediately feasible, isolate any applications that load ICC profiles from untrusted data sources to prevent the crash from affecting critical services
  • Deploy input validation or runtime checks against malformed ICC profiles to reduce the likelihood of the pointer read occurring, aligning with best practices for handling structured binary data

Generated by OpenCVE AI on April 16, 2026 at 03:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Tue, 10 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a segmentation fault from invalid/wild pointer read in CIccCLUT::Interp3d() causing a denial of service. This vulnerability is fixed in 2.3.1.5.
Title iccDEV has a SEGV in CIccCLUT::Interp3d()
Weaknesses CWE-125
CWE-703
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T19:32:26.466Z

Reserved: 2026-03-09T16:33:42.912Z

Link: CVE-2026-31794

cve-icon Vulnrichment

Updated: 2026-03-10T19:27:45.157Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:18:59.757

Modified: 2026-03-13T20:30:38.547

Link: CVE-2026-31794

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:45:16Z

Weaknesses