Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, a crafted TIFF input can trigger Undefined Behavior (UB) due to division by zero in the TIFF handling code paths used by iccTiffDump. This issue has been patched in version 2.3.1.6.
Published: 2026-03-31
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

The vulnerability arises in the ICC Color Management library iccDEV. A crafted TIFF file can trigger undefined behaviour in the code that handles TIFF data, specifically a division by zero in the TiffImg.h component. This issue allows an attacker to cause the iccTiffDump tool or any application that relies on the library to crash, resulting in service disruption. The weakness falls under CWE-369, a division by zero, and may also provide a foothold for more severe exploitation if the crash leads to memory corruption.

Affected Systems

Affected products are the International Color Consortium's iccDEV libraries and tools on all operating systems supported by the library, for versions earlier than 2.3.1.6. Users of older releases that process TIFF files with iccTiffDump or integrated library calls are vulnerable until upgraded to 2.3.1.6 or newer.

Risk and Exploitability

The CVSS base score of 6.2 indicates a moderate severity. No EPSS score is available, so the likelihood of exploitation is unknown. The vulnerability is not listed in the CISA KEV catalog. Attacks would require an ability to supply malformed TIFF data to the library, either locally or remotely depending on the application context. No official workaround is listed; the only reliable protection is applying the patched version.

Generated by OpenCVE AI on April 1, 2026 at 06:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade iccDEV to version 2.3.1.6 or later

Generated by OpenCVE AI on April 1, 2026 at 06:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, a crafted TIFF input can trigger Undefined Behavior (UB) due to division by zero in the TIFF handling code paths used by iccTiffDump. This issue has been patched in version 2.3.1.6.
Title iccDEV: UB at TiffImg.h
Weaknesses CWE-369
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T15:52:39.866Z

Reserved: 2026-03-30T16:31:39.264Z

Link: CVE-2026-34546

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T23:17:09.287

Modified: 2026-04-20T14:32:34.657

Link: CVE-2026-34546

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:10:11Z

Weaknesses