Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, a crafted ICC profile can trigger a segmentation fault (SEGV) in CIccTagArray::Cleanup(). The issue is observable under UBSan/ASan as misaligned member access / misaligned pointer loads followed by an invalid read leading to process crash when running iccRoundTrip on a malicious profile. This issue has been patched in version 2.3.1.6.
Published: 2026-03-31
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via segmentation fault
Action: Immediate Patch
AI Analysis

Impact

A crafted ICC profile triggers a segmentation fault within iccDEV’s CIccTagArray::Cleanup() routine, causing the process to crash when the iccRoundTrip tool parses the malicious profile. The flaw arises from misaligned member access and pointer loads that culminate in an invalid read. Because the vulnerability results in an application crash rather than code execution, its principal impact is denial of service, potentially disrupting any software that relies on iccDEV for color‑profile handling.

Affected Systems

The International Color Consortium’s iccDEV library, versions prior to 2.3.1.6, is affected. Any system that processes third‑party ICC profiles—such as photo editing, printing, or color‑management applications—can experience crashes when encountering a malicious profile.

Risk and Exploitability

This vulnerability carries a CVSS score of 6.2, indicating moderate severity. Exploreability of the flaw is likely through any client that accepts ICC profiles, either from an external source or local user. The attacker can supply a malicious profile to a vulnerable application to force a crash. Since no exploit has been publicly disclosed and the flaw does not lead to code execution, the risk is limited to service interruption rather than a complete compromise.

Generated by OpenCVE AI on April 1, 2026 at 06:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade iccDEV to version 2.3.1.6 or newer
  • Restart any services that rely on iccDEV to ensure the patch takes effect

Generated by OpenCVE AI on April 1, 2026 at 06:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, a crafted ICC profile can trigger a segmentation fault (SEGV) in CIccTagArray::Cleanup(). The issue is observable under UBSan/ASan as misaligned member access / misaligned pointer loads followed by an invalid read leading to process crash when running iccRoundTrip on a malicious profile. This issue has been patched in version 2.3.1.6.
Title iccDEV: SEGV in CIccTagArray::Cleanup()
Weaknesses CWE-122
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T13:33:37.621Z

Reserved: 2026-03-30T16:03:31.048Z

Link: CVE-2026-34535

cve-icon Vulnrichment

Updated: 2026-04-01T13:33:25.551Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-03-31T22:16:20.960

Modified: 2026-04-01T14:23:37.727

Link: CVE-2026-34535

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:10:18Z

Weaknesses