Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a stack buffer overflow write in CIccXform3DLut::Apply() corrupting stack memory or crash. This vulnerability is fixed in 2.3.1.5.
Published: 2026-03-10
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

ICCDEV's CIccXform3DLut::Apply function performs an unchecked memory write that overwrites data on the stack, which can lead to a crash or unpredictable behavior. The vulnerability represents a classic stack buffer overflow (CWE-120, CWE-121, CWE-787) and may also allow an attacker to corrupt application state if they supply crafted input. While the description does not confirm arbitrary code execution, the nature of the flaw introduces the possibility of executing unintended instructions under favorable conditions.

Affected Systems

The ICCDEV library produced by the International Color Consortium is affected. All releases before version 2.3.1.5 contain the vulnerability. Software that links either statically or dynamically to these earlier libraries is therefore at risk until the fix is applied.

Risk and Exploitability

The CVSS score of 7.8 classifies the issue as high severity. EPSS indicates a less than 1% probability of exploitation at the time of this report. The vulnerability is not listed in the CISA KEV catalog, so there are no known active or publicly documented exploits. The likely attack vector involves an application that feeds untrusted or malformed 3‑D LUT data to the library; a local user or process with write access to the affected code path can trigger the overflow. Absent a privilege escalation or additional configuration weaknesses, the impact is most likely limited to a denial of service, but deterministic arbitrary code execution is not established by the available data.

Generated by OpenCVE AI on April 16, 2026 at 09:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade iccDEV to version 2.3.1.5 or newer.
  • Rebuild or relink all dependent third‑party applications to use the patched library or an unaltered newer release.
  • If an update is not immediately feasible, restrict processing of 3‑D LUT transformations to data from trusted sources or disable the feature until the library can be replaced.

Generated by OpenCVE AI on April 16, 2026 at 09:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Tue, 10 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a stack buffer overflow write in CIccXform3DLut::Apply() corrupting stack memory or crash. This vulnerability is fixed in 2.3.1.5.
Title iccDEV has a stack buffer overflow write in CIccXform3DLut::Apply()
Weaknesses CWE-120
CWE-121
CWE-787
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T19:32:26.270Z

Reserved: 2026-03-09T16:33:42.912Z

Link: CVE-2026-31795

cve-icon Vulnrichment

Updated: 2026-03-10T19:27:42.259Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:18:59.933

Modified: 2026-03-13T20:33:55.970

Link: CVE-2026-31795

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:45:31Z

Weaknesses