Iccdev
CVE-2026-34537
MEDIUM
Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, a crafted ICC profile can trigger Undefined Behavior (UB) in CIccOpDefEnvVar::Exec() due to invalid enum values being loaded for icSigCmmEnvVar. The issue is observable under UBSan as a “load of value … not a valid value for type icSigCmmEnvVar”, indicating an invalid enum/type value being consumed during ICC profile processing. This issue has been patched in version 2.3.1.6.
AnalysisAI
Local denial of service in iccDEV prior to version 2.3.1.6 allows unauthenticated local attackers to crash applications processing ICC color profiles by crafting malicious profiles that trigger undefined behavior through invalid enum values in CIccOpDefEnvVar::Exec(). The vulnerability requires local file access but no privilege escalation, with an EPSS score of 6.2 reflecting moderate real-world risk. No public exploit code or active exploitation has been identified at the time of analysis.
Technical ContextAI
iccDEV is a library for processing ICC (International Color Consortium) color management profiles, which are binary files defining color transformations used across imaging and graphics applications. The vulnerability resides in the CIccOpDefEnvVar::Exec() function, which processes environment variable operations defined within ICC profiles. The root cause is improper validation of enum values (icSigCmmEnvVar type) loaded from untrusted profile data; when a crafted profile contains an out-of-range enum value, the application performs a load operation on an invalid type, triggering undefined behavior detectable by UBSan (Undefined Behavior Sanitizer). CWE-758 (Reliance on Undefined Behavior) classifies this as a broader category of unsafe type handling where the C/C++ standard does not guarantee behavior, allowing compilers to optimize unpredictably or crash. The attack surface is any application linked against iccDEV that processes untrusted ICC profiles without sufficient input validation.
RemediationAI
Vendor-released patch: iccDEV version 2.3.1.6 or later. Users should upgrade their iccDEV dependency to version 2.3.1.6 as published on GitHub (https://github.com/InternationalColorConsortium/iccDEV/releases). For applications distributing iccDEV as a bundled library, rebuild and redeploy with the patched version. Until patching is feasible, mitigate by restricting processing of ICC profiles from untrusted sources, implementing file validation to reject profiles with suspicious characteristics, or running profile processing in sandboxed or isolated environments. Additional context is available in the GitHub security advisory (https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-3m63-c4jf-592f) and the merged pull request 685 documenting the fix.
iccDEV ICC color profile library (through 2.3.1) has a use-after-free in CIccXform::Create() when processing hint object
Heap buffer overflow in iccDEV versions 2.3.1.1 and below allows remote code execution through maliciously crafted ICC c
Heap buffer overflow in iccDEV versions 2.3.1.1 and below allows remote code execution when processing maliciously craft
Heap buffer overflow in iccDEV versions 2.3.1.1 and earlier allows remote code execution through maliciously crafted ICC
Type confusion in iccDEV library versions before 2.3.1.2 allows unauthenticated attackers to achieve remote code executi
iccDEV color management library versions 2.3.1 and earlier contain undefined behavior in the CLUT initialization functio
iccDEV ICC color profile libraries versions 2.3.1.1 and earlier suffer from undefined behavior and out-of-memory errors
Heap buffer overflow in iccDEV versions before 2.3.1.2 allows remote code execution when processing malicious ICC color
Type confusion in iccDEV versions before 2.3.1.2 allows attackers to corrupt memory and achieve high-impact outcomes inc
Type confusion in iccDEV versions before 2.3.1.2 allows unauthenticated attackers to achieve remote code execution throu
Heap buffer overflow in iccDEV versions before 2.3.1.2 allows remote code execution when processing malicious ICC color
Heap buffer overflow in iccDEV versions prior to 2.3.1.2 allows remote attackers to execute arbitrary code through the C
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today