CVE-2026-21679
iccDEV has heap-buffer-overflow vulnerability in CIccLocalizedUnicode::GetText()
In short
iccDEV, a color management library, has a heap buffer overflow vulnerability in its text handling function. An attacker could provide specially crafted input to cause a program crash or potentially execute malicious code.
Technical detail
CIccLocalizedUnicode::GetText() contains a heap buffer overflow due to improper input validation (CWE-20). An attacker can trigger this via malformed localized unicode text data in ICC profiles, potentially achieving code execution or denial of service. The vulnerability is fixed in version 2.3.1.2 and later.
Summary generated and translated by AI from the official description.
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to heap-buffer-overflow in CIccLocalizedUnicode::GetText(). This issue has been patched in version 2.3.1.2.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected products
InternationalColorConsortium · iccDEVWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/InternationalColorConsortium/iccDEV/commit/2eb25ab95f0db7664ec3850390b6f89e302e7039https://github.com/InternationalColorConsortium/iccDEV/issues/328https://github.com/InternationalColorConsortium/iccDEV/pull/329https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-h4wg-473g-p5wc