Description
Little CMS (lcms2) through 2.18 has an integer overflow in CubeSize in cmslut.c because the overflow check is performed after the multiplication.
Published: 2026-04-18
Score: 4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory Corruption
Action: Assess Impact
AI Analysis

Impact

Little CMS (lcms2) up to version 2.18 contains an integer overflow in the CubeSize function in cmslut.c, because the overflow check is performed after the multiplication. This defect can cause an incorrectly calculated size value, leading to memory corruption when the library allocates space for lookup tables. The flaw is categorized as CWE-696, which denotes an incorrect order of operations that can result in unexpected behavior or crashes.

Affected Systems

The Little CMS Color Engine, specifically all releases up to and including 2.18, is affected. The vulnerability originates from the lcms2 source code and is therefore present in any software that links to this library without an updated version.

Risk and Exploitability

The CVSS score of 4.0 indicates a moderate severity. EPSS information is unavailable, and the vulnerability is not listed in CISA's KEV catalog. The attack vector is not explicitly documented, but integer overflows in library components typically require the attacker to supply crafted input—such as image data processed by the affected functions—in order to trigger the overflow. If successfully exploitable, the overflow could lead to a denial‑of‑service condition or, in vulnerable contexts, arbitrary code execution through secondary memory corruption.

Generated by OpenCVE AI on April 18, 2026 at 08:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Little CMS release that addresses the CubeSize calculation bug; consult the project’s changelog for the applicable patch.
  • If an upgrade is not immediately possible, validate all input parameters that reach the CubeSize routine and enforce bounds checks to prevent excessively large values from being processed.
  • Monitor applications that use Little CMS for abnormal crashes or memory errors, and apply additional hardening such as memory protection mechanisms (ASLR, stack canaries) to reduce the impact of potential exploitation.

Generated by OpenCVE AI on April 18, 2026 at 08:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 07:00:00 +0000

Type Values Removed Values Added
Description Little CMS (lcms2) through 2.18 has an integer overflow in CubeSize in cmslut.c because the overflow check is performed after the multiplication.
First Time appeared Littlecms
Littlecms little Cms Color Engine
Weaknesses CWE-696
CPEs cpe:2.3:a:littlecms:little_cms_color_engine:*:*:*:*:*:*:*:*
Vendors & Products Littlecms
Littlecms little Cms Color Engine
References
Metrics cvssV3_1

{'score': 4, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L'}

Subscriptions

Littlecms Little Cms Color Engine
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-18T06:43:42.580Z

Reserved: 2026-04-18T06:43:13.323Z

Link: CVE-2026-41254

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-18T07:16:10.807

Modified: 2026-04-18T07:16:10.807

Link: CVE-2026-41254

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T09:00:05Z

Weaknesses