Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, there is an Undefined Behavior (UB) condition in the XML conversion tooling path (iccToXml) caused by an implicit conversion from a negative signed integer to icUInt32Number (unsigned 32-bit), which changes the value. This issue has been patched in version 2.3.1.6.
Published: 2026-03-31
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

The vulnerability is an undefined behavior triggered during XML conversion when a negative signed integer is implicitly converted to an unsigned 32‑bit value. This type mismatch alters the resulting value and can lead to incorrect XML output or program instability, potentially causing a crash or denial of service when the iccToXml tool processes malformed inputs.

Affected Systems

All installations of International Color Consortium's iccDEV that use a version earlier than 2.3.1.6 are susceptible. The flaw resides in the iccUTIL XML conversion component, part of the library and associated command‑line tools that convert ICC profiles to XML format.

Risk and Exploitability

The CVSS score of 6.2 indicates moderate severity. No EPSS data is available and the issue is not listed in CISA's KEV catalog. The flaw is triggered by feeding malicious or malformed data to the iccToXml conversion path, which is a local or potentially remote entry point if the tool is exposed to untrusted input. Because the exploit requires exploiting undefined behavior, practical attack construction may be complex, but the possibility of a crash or loss of data integrity warrants prompt attention.

Generated by OpenCVE AI on April 1, 2026 at 05:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patch to iccDEV version 2.3.1.6 or newer.

Generated by OpenCVE AI on April 1, 2026 at 05:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, there is an Undefined Behavior (UB) condition in the XML conversion tooling path (iccToXml) caused by an implicit conversion from a negative signed integer to icUInt32Number (unsigned 32-bit), which changes the value. This issue has been patched in version 2.3.1.6.
Title iccDEV: UB at IccUtilXml.cpp
Weaknesses CWE-681
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T19:00:50.308Z

Reserved: 2026-03-30T16:31:39.264Z

Link: CVE-2026-34548

cve-icon Vulnrichment

Updated: 2026-04-01T19:00:46.779Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T23:17:09.607

Modified: 2026-04-20T14:32:53.423

Link: CVE-2026-34548

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:10:09Z

Weaknesses