Iccdev
CVE-2026-34541
MEDIUM
Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, a crafted ICC profile can trigger Undefined Behavior (UB) via a null-pointer member call in CIccCombinedConnectionConditions::CIccCombinedConnectionConditions() (reported by UBSan as “member call on null pointer of type CIccTagSpectralViewingConditions”). The issue is reachable when running iccApplyNamedCmm with -PCC using a malformed .icc profile. This issue has been patched in version 2.3.1.6.
AnalysisAI
Denial of service in iccDEV prior to version 2.3.1.6 allows local attackers to crash the iccApplyNamedCmm tool by supplying a malformed ICC color profile that triggers a null-pointer dereference in the CIccCombinedConnectionConditions constructor. The vulnerability requires local file system access to provide the crafted profile and causes application termination with no code execution or data corruption, affecting users processing untrusted ICC profiles through the -PCC flag.
Technical ContextAI
iccDEV is a C++ library implementing the ICC color management specification for profile manipulation and conversion workflows. The vulnerability stems from CWE-476 (null pointer dereference) within the CIccCombinedConnectionConditions class constructor, which fails to validate a null pointer member of type CIccTagSpectralViewingConditions before invoking its methods. This occurs during profile parsing when the iccApplyNamedCmm command-line tool processes the -PCC (Profile Connection Conditions) argument with a specially crafted .icc file containing malformed connection condition data. The UBSan (Undefined Behavior Sanitizer) compiler instrumentation detects the invalid member access, confirming undefined behavior rather than a controlled exception.
RemediationAI
Upgrade iccDEV to version 2.3.1.6 or later, which includes the fix merged in GitHub PR #691 that adds null-pointer validation to the CIccCombinedConnectionConditions constructor. For users unable to upgrade immediately, avoid processing ICC profiles from untrusted sources, and disable or restrict use of iccApplyNamedCmm with the -PCC flag if the input profile origin cannot be verified. The patch is available in the official iccDEV repository at https://github.com/InternationalColorConsortium/iccDEV/pull/691, and users should consult the security advisory at https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-9p35-7hp5-4hg4 for deployment guidance.
iccDEV ICC color profile library (through 2.3.1) has a use-after-free in CIccXform::Create() when processing hint object
Heap buffer overflow in iccDEV versions 2.3.1.1 and below allows remote code execution through maliciously crafted ICC c
Heap buffer overflow in iccDEV versions 2.3.1.1 and below allows remote code execution when processing maliciously craft
Heap buffer overflow in iccDEV versions 2.3.1.1 and earlier allows remote code execution through maliciously crafted ICC
Type confusion in iccDEV library versions before 2.3.1.2 allows unauthenticated attackers to achieve remote code executi
iccDEV color management library versions 2.3.1 and earlier contain undefined behavior in the CLUT initialization functio
iccDEV ICC color profile libraries versions 2.3.1.1 and earlier suffer from undefined behavior and out-of-memory errors
Heap buffer overflow in iccDEV versions before 2.3.1.2 allows remote code execution when processing malicious ICC color
Type confusion in iccDEV versions before 2.3.1.2 allows attackers to corrupt memory and achieve high-impact outcomes inc
Type confusion in iccDEV versions before 2.3.1.2 allows unauthenticated attackers to achieve remote code execution throu
Heap buffer overflow in iccDEV versions before 2.3.1.2 allows remote code execution when processing malicious ICC color
Heap buffer overflow in iccDEV versions prior to 2.3.1.2 allows remote attackers to execute arbitrary code through the C
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Null Pointer Dereference
View allShare
External POC / Exploit Code
Leaving vuln.today