Iccdev
CVE-2026-34549
MEDIUM
Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, there is an Undefined Behavior (UB) condition in IccUtil.cpp triggered by a crafted input profile. Under UndefinedBehaviorSanitizer, the issue is reported as invalid left shift operations on icUInt32Number (unsigned 32-bit) where the shifted value “cannot be represented” in that type. This issue has been patched in version 2.3.1.6.
AnalysisAI
Denial of service via crafted ICC color profile in iccDEV library prior to version 2.3.1.6 triggers undefined behavior through invalid left shift operations on 32-bit unsigned integers, causing application crashes. The vulnerability affects all iccDEV versions before 2.3.1.6 and requires only local file access to exploit (no authentication or user interaction required beyond opening a malicious profile). No public exploit code or active exploitation has been identified at time of analysis.
Technical ContextAI
iccDEV is the reference implementation library for ICC color profiles, used by image processing and color management applications to parse and validate ICC profile data structures. The vulnerability exists in IccUtil.cpp and involves undefined behavior triggered during bitwise shift operations on icUInt32Number types (unsigned 32-bit integers) when processing crafted input. Under UndefinedBehaviorSanitizer detection, the issue manifests as left shift operations where the result cannot be represented within the type's range. CWE-758 (Reliance on Undefined, Unspecified, or Implementation-Defined Behavior) classifies this as a category of undefined behavior exploitation. Any application linking against iccDEV and consuming untrusted ICC profile files is potentially vulnerable.
RemediationAI
Vendor-released patch: iccDEV version 2.3.1.6. Upgrade iccDEV to version 2.3.1.6 or later. Applications and libraries that depend on iccDEV should update their dependency to the patched version and rebuild/redeploy. No workarounds are documented in the available references. Consult the GitHub pull request at https://github.com/InternationalColorConsortium/iccDEV/pull/726 for technical details of the fix.
iccDEV ICC color profile library (through 2.3.1) has a use-after-free in CIccXform::Create() when processing hint object
Heap buffer overflow in iccDEV versions 2.3.1.1 and below allows remote code execution through maliciously crafted ICC c
Heap buffer overflow in iccDEV versions 2.3.1.1 and below allows remote code execution when processing maliciously craft
Heap buffer overflow in iccDEV versions 2.3.1.1 and earlier allows remote code execution through maliciously crafted ICC
Type confusion in iccDEV library versions before 2.3.1.2 allows unauthenticated attackers to achieve remote code executi
iccDEV color management library versions 2.3.1 and earlier contain undefined behavior in the CLUT initialization functio
iccDEV ICC color profile libraries versions 2.3.1.1 and earlier suffer from undefined behavior and out-of-memory errors
Heap buffer overflow in iccDEV versions before 2.3.1.2 allows remote code execution when processing malicious ICC color
Type confusion in iccDEV versions before 2.3.1.2 allows attackers to corrupt memory and achieve high-impact outcomes inc
Type confusion in iccDEV versions before 2.3.1.2 allows unauthenticated attackers to achieve remote code execution throu
Heap buffer overflow in iccDEV versions before 2.3.1.2 allows remote code execution when processing malicious ICC color
Heap buffer overflow in iccDEV versions prior to 2.3.1.2 allows remote attackers to execute arbitrary code through the C
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today