Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, an Undefined Behavior (UB) condition in IccUtil.cpp can be triggered by a crafted ICC profile when running iccDumpProfile. This issue has been patched in version 2.3.1.6.
Published: 2026-03-31
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Potential arbitrary code execution
Action: Immediate Patch
AI Analysis

Impact

iccDEV is a collection of libraries and tools for working with ICC color management profiles. A crafted ICC profile can trigger an undefined behavior condition in IccUtil.cpp when iccDumpProfile is executed. Marked as CWE‑758, the resulting undefined behavior can corrupt memory or cause unpredictable execution flows, potentially leading to a crash or arbitrary code execution within the process that runs the tool.

Affected Systems

The vulnerability affects users of the International Color Consortium’s iccDEV library who are running versions older than 2.3.1.6. The issue was fixed in version 2.3.1.6 and later releases; any environment that processes ICC profiles with iccDumpProfile on untrusted input remains at risk.

Risk and Exploitability

The CVSS score of 6.2 indicates moderate risk, but EPSS data is unavailable, so the likelihood of exploitation is unknown. The vulnerability is not listed in the CISA KEV catalog, implying no publicly documented exploits. An attacker could exploit the undefined behavior by furnishing a malicious ICC profile to a system that runs iccDumpProfile, which might be possible remotely if the tool is exposed or locally when privileged users have access. While no exploit has been reported, the undefined behavior represents a potential path to arbitrary code execution or denial of service.

Generated by OpenCVE AI on April 1, 2026 at 05:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade iccDEV to version 2.3.1.6 or newer to apply the fix.
  • Limit or disable the use of iccDumpProfile for untrusted ICC profiles until a patch is applied.
  • Validate the integrity of ICC profiles before processing them with iccDumpProfile.

Generated by OpenCVE AI on April 1, 2026 at 05:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, an Undefined Behavior (UB) condition in IccUtil.cpp can be triggered by a crafted ICC profile when running iccDumpProfile. This issue has been patched in version 2.3.1.6.
Title iccDEV: UB at IccUtil.cpp
Weaknesses CWE-758
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T13:26:31.361Z

Reserved: 2026-03-30T16:31:39.264Z

Link: CVE-2026-34547

cve-icon Vulnrichment

Updated: 2026-04-01T13:26:22.020Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T23:17:09.450

Modified: 2026-04-20T14:31:56.350

Link: CVE-2026-34547

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:10:10Z

Weaknesses