Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, a crafted ICC profile can trigger Undefined Behavior (UB) in CIccOpDefEnvVar::Exec() due to invalid enum values being loaded for icSigCmmEnvVar. The issue is observable under UBSan as a “load of value … not a valid value for type icSigCmmEnvVar”, indicating an invalid enum/type value being consumed during ICC profile processing. This issue has been patched in version 2.3.1.6.
Published: 2026-03-31
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Undefined Behavior (potential crash or erratic operation)
Action: Apply Patch
AI Analysis

Impact

A crafted ICC profile can trigger undefined behavior in the CIccOpDefEnvVar::Exec() routine of the iccDEV library due to invalid enum values for icSigCmmEnvVar. This undefined behavior may cause a crash or cause the program to consume an unexpected value during profile processing. The weakness is classified under CWE‑758 and does not provide evidence of remote code execution.

Affected Systems

The vulnerability affects the International Color Consortium’s iccDEV libraries and tools before version 2.3.1.6. All releases older than 2.3.1.6 are susceptible; the issue is resolved in 2.3.1.6 and later.

Risk and Exploitability

The CVSS base score of 6.2 indicates moderate severity, and no EPSS score or KEV listing is available. Exploitation requires the delivery of a malicious ICC profile to a process that uses iccDEV, which is feasible for applications that import user‑supplied color profiles. The attack is likely local or dependent on the application’s ability to accept arbitrary profiles, and the impact is limited to crashes or unpredictable behavior rather than arbitrary code execution.

Generated by OpenCVE AI on April 1, 2026 at 06:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade iccDEV to version 2.3.1.6 or later
  • Validate and filter ICC profiles from untrusted sources before processing to mitigate the risk of undefined behavior

Generated by OpenCVE AI on April 1, 2026 at 06:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, a crafted ICC profile can trigger Undefined Behavior (UB) in CIccOpDefEnvVar::Exec() due to invalid enum values being loaded for icSigCmmEnvVar. The issue is observable under UBSan as a “load of value … not a valid value for type icSigCmmEnvVar”, indicating an invalid enum/type value being consumed during ICC profile processing. This issue has been patched in version 2.3.1.6.
Title iccDEV: UB in CIccOpDefEnvVar::Exec()
Weaknesses CWE-758
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T16:39:51.008Z

Reserved: 2026-03-30T16:03:31.048Z

Link: CVE-2026-34537

cve-icon Vulnrichment

Updated: 2026-04-03T16:39:47.207Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-03-31T22:16:21.287

Modified: 2026-04-01T14:23:37.727

Link: CVE-2026-34537

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:10:16Z

Weaknesses