Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, there is a heap-buffer-overflow (HBO) in icAnsiToUtf8() in the XML conversion path. The issue is triggered by a crafted ICC profile which causes icAnsiToUtf8(std::string&, char const*) to treat an input buffer as a C-string and call operations that rely on strlen()/null-termination. AddressSanitizer reports an out-of-bounds READ of size 115 past a 114-byte heap allocation, with the failure observed while running the iccToXml tool. This issue has been patched in version 2.3.1.6.
Published: 2026-03-31
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Heap Buffer Overflow (memory corruption)
Action: Apply Patch
AI Analysis

Impact

A flaw in the icAnsiToUtf8() routine of the iccDEV library causes the function to interpret an input buffer as a C‑string and invoke strlen on it. The buffer is only 114 bytes long, yet the read extends 115 bytes beyond its allocation, leading to an out‑of‑bounds read. This heap buffer overflow can corrupt memory, potentially causing a program crash or unpredictable behavior, but the CVE description does not indicate that code execution can be achieved.

Affected Systems

All releases of International Color Consortium’s iccDEV library and associated tools prior to version 2.3.1.6 are affected, including the iccToXml tool. The bug was fixed in version 2.3.1.6 and later releases.

Risk and Exploitability

The CVSS score of 6.2 reflects a moderate severity. EPSS data is not provided, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is local or user‑controlled: a malicious ICC profile processed by iccDEV triggers the overflow. No remote exploitation or privilege escalation is described in the CVE data.

Generated by OpenCVE AI on April 1, 2026 at 06:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade iccDEV to version 2.3.1.6 or newer.
  • If upgrading is not immediately possible, avoid processing untrusted ICC profiles with iccToXml or any iccDEV‑based tool until a patch is applied.
  • Continuously monitor the International Color Consortium’s announcements for security updates and apply future patches promptly.

Generated by OpenCVE AI on April 1, 2026 at 06:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, there is a heap-buffer-overflow (HBO) in icAnsiToUtf8() in the XML conversion path. The issue is triggered by a crafted ICC profile which causes icAnsiToUtf8(std::string&, char const*) to treat an input buffer as a C-string and call operations that rely on strlen()/null-termination. AddressSanitizer reports an out-of-bounds READ of size 115 past a 114-byte heap allocation, with the failure observed while running the iccToXml tool. This issue has been patched in version 2.3.1.6.
Title iccDEV: HBO in icAnsiToUtf8()
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T19:02:37.077Z

Reserved: 2026-03-30T16:31:39.265Z

Link: CVE-2026-34556

cve-icon Vulnrichment

Updated: 2026-04-01T19:02:32.903Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T23:17:10.997

Modified: 2026-04-20T14:39:50.880

Link: CVE-2026-34556

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:10:00Z

Weaknesses