CVE-2026-41254 - Vulnerability Details

- Little CMS: lcms2: mm2/Little-CMS: Little CMS: Information disclosure or denial of service via integer overflow in CubeSize

Description

Little CMS (lcms2) through 2.18 has an integer overflow in CubeSize in cmslut.c because the overflow check is performed after the multiplication.

Published: 2026-04-18

Score: 4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Little CMS (lcms2) up to version 2.18 contains an integer overflow in the CubeSize function in cmslut.c, because the overflow check is performed after the multiplication. This defect can cause an incorrectly computed size value, leading to memory corruption when the library allocates space for lookup tables. The flaw exhibits characteristics of integer overflow (CWE-190) and improper order of operations (CWE-696).

Affected Systems

The Little CMS Color Engine, specifically all releases up to and including 2.18, is affected. The vulnerability originates from the lcms2 source code and is therefore present in any software that links to this library without an updated version.

Risk and Exploitability

The CVSS score of 4.0 indicates a moderate severity. The EPSS score is less than 1%, indicating a very low exploitation probability. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector requires an attacker to supply crafted input that reaches the CubeSize routine, such as malicious image data processed by the library. If successfully exploited, the overflow could lead to a denial‑of‑service condition or, in certain contexts, further memory corruption that might be escalated to arbitrary code execution.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

littlecms

little cms color engine

unknown

Version	Status	Constraints
`0`	affected	≤ 2.18

Configuration 1 [-]

cpe:2.3:a:littlecms:little_cms:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Littlecms

Little Cms Color Engine

95%

Version	Status	Scheme	Platform
`[0,2.18]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to the latest Little CMS release that addresses the CubeSize calculation bug; consult the project’s changelog for the applicable patch.
If an upgrade is not immediately possible, validate all input parameters that reach the CubeSize routine and enforce bounds checks to prevent excessively large values from being processed.
Monitor applications that use Little CMS for abnormal crashes or memory errors, and apply additional hardening such as memory protection mechanisms (ASLR, stack canaries) to reduce the impact of potential exploitation.

Generated by OpenCVE AI on April 20, 2026 at 13:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4568-1	lcms2 security update

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0003.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://abhinavagarwal07.github.io/posts/lcms2-cubesize-overflow/
https://github.com/mm2/Little-CMS/commit/da6110b1d14abc394633a388209abd5ebedd7ab0
https://github.com/mm2/Little-CMS/commit/e0641b1828d0a1af5ecb1b11fe22f24fceefd4bc
https://github.com/mm2/Little-CMS/security/advisories/GHSA-4xp6-rcgg-m9qq
https://lists.debian.org/debian-lts-announce/2026/05/msg00014.html
https://nvd.nist.gov/vuln/detail/CVE-2026-41254
https://www.cve.org/CVERecord?id=CVE-2026-41254
https://www.openwall.com/lists/oss-security/2026/04/17/16

History

Thu, 07 May 2026 18:30:00 +0000

Type	Values Removed	Values Added
References		https://lists.debian.org/debian-lts-announce/2026/05/msg00014.html

Wed, 22 Apr 2026 18:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Littlecms little Cms
CPEs		cpe:2.3:a:littlecms:little_cms::::::::
Vendors & Products		Littlecms little Cms

Mon, 20 Apr 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 20 Apr 2026 12:15:00 +0000

Type	Values Removed	Values Added
Title		Little CMS: lcms2: mm2/Little-CMS: Little CMS: Information disclosure or denial of service via integer overflow in CubeSize
Weaknesses		CWE-190
References		https://nvd.nist.gov/vuln/detail/CVE-2026-41254 https://www.cve.org/CVERecord?id=CVE-2026-41254
Metrics	threat_severity `None`	threat_severity `Moderate`

Sat, 18 Apr 2026 07:00:00 +0000

Type	Values Removed	Values Added
Description		Little CMS (lcms2) through 2.18 has an integer overflow in CubeSize in cmslut.c because the overflow check is performed after the multiplication.
First Time appeared		Littlecms Littlecms little Cms Color Engine
Weaknesses		CWE-696
CPEs		cpe:2.3:a:littlecms:little_cms_color_engine::::::::
Vendors & Products		Littlecms Littlecms little Cms Color Engine
References		https://abhinavagarwal07.github.io/posts/lcms2-cubesize-overflow/ https://github.com/mm2/Little-CMS/commit/da6110b1d14abc394633a388209abd5ebedd7ab0 https://github.com/mm2/Little-CMS/commit/e0641b1828d0a1af5ecb1b11fe22f24fceefd4bc https://github.com/mm2/Little-CMS/security/advisories/GHSA-4xp6-rcgg-m9qq https://www.openwall.com/lists/oss-security/2026/04/17/16
Metrics		cvssV3_1 `{'score': 4, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L'}`

Subscriptions

Littlecms Little Cms Little Cms Color Engine

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-04-18T06:43:13.741Z

Updated: 2026-05-07T17:33:56.924Z

Reserved: 2026-04-18T06:43:13.323Z

Link: CVE-2026-41254

Vulnrichment

Updated: 2026-05-07T17:33:56.924Z

NVD

Status : Modified

Published: 2026-04-18T07:16:10.807

Modified: 2026-05-07T18:16:19.300

Link: CVE-2026-41254

Redhat

Severity : Moderate

Publid Date: 2026-04-18T06:43:13Z

Links: CVE-2026-41254 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-20T14:00:08Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact Low

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object