Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a heap out-of-bounds read in CTiffImg::ReadLine() when iccApplyProfiles processes a crafted TIFF image, causing memory disclosure or crash. This vulnerability is fixed in 2.3.1.5.
Published: 2026-03-10
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory Disclosure
Action: Apply Patch
AI Analysis

Impact

This vulnerability is a heap out‑of‑bounds read in CTiffImg::ReadLine() within the iccApplyProfiles function of the iccDEV library. The flaw, classified as CWE‑125 and CWE‑787, allows a crafted TIFF image to cause either a memory disclosure or a crash. The vulnerability is local in nature and can potentially expose sensitive data residing on the system’s memory space when the library processes malicious image data.

Affected Systems

The affected product is InternationalColorConsortium’s iccDEV library. Versions earlier than 2.3.1.5 are vulnerable. The security fix is delivered in release 2.3.1.5.

Risk and Exploitability

The CVSS score of 6.1 indicates a medium severity impact. EPSS scoring below 1 % signals a very low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog, suggesting there are no known widespread attacks. Attackers would need to supply a malicious TIFF image to a process using iccDEV, which is typically local to the application. Successful exploitation could result in the disclosure of sensitive memory contents or an application crash, potentially leading to denial of service on the host system.

Generated by OpenCVE AI on April 16, 2026 at 03:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade iccDEV to version 2.3.1.5 or later from the InternationalColorConsortium release repository.
  • If an upgrade cannot be performed immediately, limit the processing of TIFF files to trusted sources only, or run the image handling code in a sandboxed environment.
  • Consider monitoring the application for crash events or abnormal memory reads, and enforce strict file size or type validation to reduce the risk of exploitation.

Generated by OpenCVE AI on April 16, 2026 at 03:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Tue, 10 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a heap out-of-bounds read in CTiffImg::ReadLine() when iccApplyProfiles processes a crafted TIFF image, causing memory disclosure or crash. This vulnerability is fixed in 2.3.1.5.
Title iccDEV has a heap out-of-bounds read in CTiffImg::ReadLine()
Weaknesses CWE-125
CWE-787
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T19:32:25.965Z

Reserved: 2026-03-09T16:33:42.912Z

Link: CVE-2026-31797

cve-icon Vulnrichment

Updated: 2026-03-10T19:27:36.861Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:19:00.347

Modified: 2026-03-13T19:30:09.473

Link: CVE-2026-31797

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:45:16Z

Weaknesses