CVE-2026-22255

iccDEV has heap-buffer-overflow in CIccCLUT::Init() at IccProfLib/IccTagLut.cpp

CVSS 8.8 HIGHEPSS 0.4%CWE-130 CWE-20 CWE-252

In short

iccDEV library versions before 2.3.1.2 have a memory overflow flaw in the color profile processing code. An attacker can craft a malicious ICC color profile that crashes the application or potentially executes arbitrary code when processed.

Technical detail

A heap-buffer-overflow exists in CIccCLUT::Init() function when parsing ICC color profiles with malformed lookup table data. The vulnerability is triggered during profile parsing without authentication, and successful exploitation can lead to denial of service or arbitrary code execution depending on memory layout and application context.

Summary generated and translated by AI from the official description.

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a heap-buffer-overflow vulnerability in `CIccCLUT::Init()` at `IccProfLib/IccTagLut.cpp`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

InternationalColorConsortium · iccDEV

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/InternationalColorConsortium/iccDEV/issues/466 https://github.com/InternationalColorConsortium/iccDEV/pull/469 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-qv2w-mq3g-73gv