CVE-2026-21677

iccDEV has Undefined Behavior in CIccCLUT::Init()

CVSS 8.8 HIGHEPSS 0.3%CWE-20 CWE-758

In short

iccDEV, a color management library, has undefined behavior when initializing color lookup tables (CLUTs) that can cause crashes or unpredictable program behavior. This affects versions 2.3.1 and earlier.

Technical detail

The CIccCLUT::Init() function in iccDEV versions ≤2.3.1 exhibits undefined behavior during CLUT initialization, likely due to improper input validation (CWE-20) or unhandled edge cases. An attacker can trigger this via malformed ICC profiles, potentially causing denial of service or memory corruption.

Summary generated and translated by AI from the official description.

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have Undefined Behavior in its CIccCLUT::Init function which initializes and sets the size of a CLUT. This issue is fixed in version 2.3.1.1.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

InternationalColorConsortium · iccDEV

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/InternationalColorConsortium/iccDEV/commit/201125fbda22c8e4ea95800a6b427093fa4b8a22 https://github.com/InternationalColorConsortium/iccDEV/issues/181 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-95w5-jvqf-3994