Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, there is an Undefined Behavior (UB) condition in IccUtil.cpp triggered by a crafted input profile. Under UndefinedBehaviorSanitizer, the issue is reported as invalid left shift operations on icUInt32Number (unsigned 32-bit) where the shifted value “cannot be represented” in that type. This issue has been patched in version 2.3.1.6.
Published: 2026-03-31
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Undefined behavior may lead to memory corruption
Action: Patch
AI Analysis

Impact

A crafted ICC profile can trigger an undefined left shift operation in IccUtil.cpp of the iccDEV library. The resulting undefined behavior can corrupt memory, compromise program stability, and potentially alter data integrity. The vulnerability is caused by shifting an unsigned 32‑bit value beyond its representable range, as identified by UndefinedBehaviorSanitizer.

Affected Systems

InternationalColorConsortium’s iccDEV library and its tooling are affected. All releases older than version 2.3.1.6 are vulnerable; the patch was applied in 2.3.1.6 and later. Systems that import or process custom ICC profiles using the affected library may be impacted.

Risk and Exploitability

The CVSS base score of 6.2 indicates a moderate severity. EPSS data is not available and the issue is not listed in CISA’s KEV catalog. The likely attack vector involves supplying a malicious ICC profile to a program that parses it with the vulnerable library. While no confirmed exploit exists, the undefined behavior could lead to memory corruption and compromise system reliability.

Generated by OpenCVE AI on April 1, 2026 at 06:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade iccDEV to version 2.3.1.6 or later
  • Verify that the installed release is the patched version
  • Restrict profile parsing to trusted, validated ICC files to reduce risk

Generated by OpenCVE AI on April 1, 2026 at 06:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Fri, 03 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, there is an Undefined Behavior (UB) condition in IccUtil.cpp triggered by a crafted input profile. Under UndefinedBehaviorSanitizer, the issue is reported as invalid left shift operations on icUInt32Number (unsigned 32-bit) where the shifted value “cannot be represented” in that type. This issue has been patched in version 2.3.1.6.
Title iccDEV: UB at IccUtil.cpp
Weaknesses CWE-758
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T16:41:44.818Z

Reserved: 2026-03-30T16:31:39.264Z

Link: CVE-2026-34549

cve-icon Vulnrichment

Updated: 2026-04-03T16:41:40.840Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T23:17:09.770

Modified: 2026-04-20T14:33:08.250

Link: CVE-2026-34549

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:10:08Z

Weaknesses