Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, a heap-buffer-overflow (HBO) in CIccApplyCmmSearch::costFunc() can be triggered via malformed JSON configuration input to the iccApplySearch tool. AddressSanitizer reports an out-of-bounds READ of size 8 originating from CIccApplyCmmSearch::costFunc(CIccSearchVec&) at IccProfLib/IccCmmSearch.cpp:112:5. This issue has been patched in version 2.3.1.6.
Published: 2026-03-31
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory corruption or information disclosure
Action: Patch immediately
AI Analysis

Impact

A heap‑buffer overflow in the CIccApplyCmmSearch::costFunc function of the iccDEV library can be triggered when the iccApplySearch tool processes a malformed JSON configuration file. The out‑of‑bounds read may lead to memory corruption or expose sensitive data that resides near the buffer. This weakness is recorded as CWE‑125.

Affected Systems

The vulnerability applies to all deployments of InternationalColorConsortium’s iccDEV libraries and tools that are older than version 2.3.1.6. Any installation that uses the iccApplySearch utility with configuration files that are not fully trusted is potentially affected.

Risk and Exploitability

The CVSS base score is 6.2, reflecting moderate severity. No EPSS score is available, so the probability of exploitation cannot be quantified. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local or compromised execution of a crafted JSON file against the iccApplySearch command; this inference is based on the description that the flaw can be triggered via malformed JSON configuration input, which is not explicitly stated in the data.

Generated by OpenCVE AI on April 1, 2026 at 06:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official release of iccDEV version 2.3.1.6 or later.
  • Validate JSON configuration files before they are supplied to iccApplySearch.
  • Restrict execution of iccApplySearch to trusted inputs only if an upgrade is not immediately possible.

Generated by OpenCVE AI on April 1, 2026 at 06:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, a heap-buffer-overflow (HBO) in CIccApplyCmmSearch::costFunc() can be triggered via malformed JSON configuration input to the iccApplySearch tool. AddressSanitizer reports an out-of-bounds READ of size 8 originating from CIccApplyCmmSearch::costFunc(CIccSearchVec&) at IccProfLib/IccCmmSearch.cpp:112:5. This issue has been patched in version 2.3.1.6.
Title iccDEV: HBO in CIccApplyCmmSearch::costFunc()
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T15:52:28.706Z

Reserved: 2026-03-30T16:31:39.264Z

Link: CVE-2026-34554

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T23:17:10.640

Modified: 2026-04-20T14:37:03.430

Link: CVE-2026-34554

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:10:02Z

Weaknesses