Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a heap-based buffer overflow in icCurvesFromXml() causing heap memory corruption or crash. This vulnerability is fixed in 2.3.1.5.
Published: 2026-03-10
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Heap-based Buffer Overflow causing memory corruption and potential crash
Action: Immediate Patch
AI Analysis

Impact

A heap‑based buffer overflow exists in the icCurvesFromXml() routine of the iccDEV library, which processes XML curve data for ICC color profiles. The flaw arises from improper bounds checking and is classified as CWE‑122 and CWE‑787. An attacker can supply a crafted XML file that triggers the overflow, corrupting heap memory, causing the application to crash.

Affected Systems

The vulnerability affects versions of the International Color Consortium’s iccDEV library older than 2.3.1.5. Systems that load or convert ICC profiles using this library, or applications that embed the library, are at risk if they process untrusted XML content. This includes any software that accepts user‑supplied color profiles in environments where the library is available.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity, while the EPSS of less than 1% suggests a low exploitation likelihood at present. The vulnerability is not currently listed in the CISA KEV catalog. Exploitation would likely require delivery of a malicious XML profile to an application that calls icCurvesFromXml(), making it a local or file‑based threat unless the library is exposed through a network‑accessible service. No remote exploit path is documented. The impact is limited to the host running the vulnerable library, as the overflow occurs on the heap within the process.

Generated by OpenCVE AI on April 17, 2026 at 11:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the iccDEV library to version 2.3.1.5 or later on all affected systems.
  • If an upgrade cannot be applied immediately, configure the environment so that applications using iccDEV never load or parse untrusted XML content. This can be achieved by rejecting foreign profiles, using safe defaults, or sandboxing the image processing component.
  • Apply strict input validation or restrict privileges for the processes that invoke iccDEV, reducing the risk of code execution if an overflow occurs.

Generated by OpenCVE AI on April 17, 2026 at 11:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Tue, 10 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a heap-based buffer overflow in icCurvesFromXml() causing heap memory corruption or crash. This vulnerability is fixed in 2.3.1.5.
Title iccDEV has a heap-based buffer overflow in icCurvesFromXml()
Weaknesses CWE-122
CWE-787
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T19:32:26.109Z

Reserved: 2026-03-09T16:33:42.912Z

Link: CVE-2026-31796

cve-icon Vulnrichment

Updated: 2026-03-10T19:27:38.967Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:19:00.150

Modified: 2026-03-13T20:34:05.630

Link: CVE-2026-31796

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T11:45:06Z

Weaknesses