Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, a crafted ICC profile can trigger a stack overflow (SO) in SIccCalcOp::ArgsUsed(). The issue is observable under AddressSanitizer as a stack-overflow when iccApplyProfiles processes a malicious profile, with the crash occurring while computing argument usage during calculator underflow/overflow checks. This issue has been patched in version 2.3.1.6.
Published: 2026-03-31
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory corruption via stack overflow, potential code execution
Action: Apply Patch
AI Analysis

Impact

A crafted ICC profile can trigger a stack overflow in the SIccCalcOp::ArgsUsed() routine of iccDEV. The vulnerability causes stack corruption that may lead to an application crash and, if control data is overwritten, potential arbitrary code execution. The weakness is a classic stack overflow, categorized under CWE-674.

Affected Systems

The defect exists in International Color Consortium’s iccDEV library versions prior to 2.3.1.6. Any system that processes user‑supplied ICC profiles with one of these older releases is vulnerable.

Risk and Exploitability

The CVSS score of 6.2 indicates moderate severity; no EPSS data is available and the flaw is not listed in the CISA KEV catalog, suggesting limited known exploitation. It is inferred that the attack vector is a malicious ICC profile delivered to a system running iccDEV, possibly through an application that loads external profiles. Exploitation would require the attacker to supply such a profile; the impact would be either a denial of service or, on successful corruption of control flow, arbitrary code execution.

Generated by OpenCVE AI on April 1, 2026 at 06:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update iccDEV to version 2.3.1.6 or later
  • Restrict the source of ICC profiles or sanitize inputs before processing
  • Monitor application logs for stack‑overflow crashes and investigate any anomalies

Generated by OpenCVE AI on April 1, 2026 at 06:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, a crafted ICC profile can trigger a stack overflow (SO) in SIccCalcOp::ArgsUsed(). The issue is observable under AddressSanitizer as a stack-overflow when iccApplyProfiles processes a malicious profile, with the crash occurring while computing argument usage during calculator underflow/overflow checks. This issue has been patched in version 2.3.1.6.
Title iccDEV: SO in SIccCalcOp::ArgsUsed()
Weaknesses CWE-674
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T18:58:47.938Z

Reserved: 2026-03-30T16:03:31.048Z

Link: CVE-2026-34536

cve-icon Vulnrichment

Updated: 2026-04-01T18:58:43.939Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T22:16:21.130

Modified: 2026-04-20T13:51:11.593

Link: CVE-2026-34536

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:10:17Z

Weaknesses