CVE-2026-21676

iccDEV has a Heap-based Buffer Overflow in its CIccMBB::Validate() function

CVSS 8.8 HIGHEPSS 0.3%CWE-122

In short

iccDEV, a tool for color management profiles, has a flaw in how it checks profile data that allows attackers to overflow memory and crash the program or execute malicious code. This affects versions 2.3.1 and earlier.

Technical detail

A heap-based buffer overflow exists in the CIccMBB::Validate() function that processes ICC color profile tag data. An attacker can supply a specially crafted profile file to trigger the overflow during validation, potentially achieving code execution or denial of service. The vulnerability is resolved in version 2.3.1.1.

Summary generated and translated by AI from the official description.

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have a Heap-based Buffer Overflow in its CIccMBB::Validate function which checks tag data validity. This issue is fixed in version 2.3.1.1.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

InternationalColorConsortium · iccDEV

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/InternationalColorConsortium/iccDEV/commit/e4c38a67d06073b38d58580b0cfc78ca61005f84 https://github.com/InternationalColorConsortium/iccDEV/issues/215 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-j5vv-p2hv-c392