The vulnerability in iccDEV’s IccIO.cpp arises from an implicit cast of a negative signed integer to an unsigned size_t, resulting in undefined behavior as classified by CWE-681. This can cause the library to miscalculate buffer sizes or indices, potentially leading to memory corruption, crashes, or unintended logic during ICC profile processing. The primary consequence is the compromise of program stability and data integrity when the library is used.

International Color Consortium’s iccDEV libraries and tools are impacted in all releases prior to version 2.3.1.6. Version 2.3.1.6 and later incorporate a fix that removes the problematic conversion, thereby eliminating the undefined behavior. Any deployment using older versions of iccDEV must be reviewed to confirm whether the vulnerable code path is exercised.

With a CVSS score of 6.2, the flaw represents moderate severity. No EPSS score is provided and the vulnerability is not listed in CISA’s KEV catalog, indicating limited known exploitation. The likely attack vector is inferred from the description: any process that loads and processes ICC profiles through the affected library may trigger the behavior. Because the issue stems from internal code logic rather than external input, exploitation requires the library to run within the application context. Nevertheless, the risk is non‑negligible for applications that rely on iccDEV, so remediation is recommended to avoid potential instability or data corruption.