Skip to main content

Iccdev CVE-2026-34553

MEDIUM
Return of Stack Variable Address (CWE-562)
2026-03-31 GitHub_M
4.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.0 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Mar 31, 2026 - 22:32 vuln.today
CVE Published
Mar 31, 2026 - 22:17 nvd
MEDIUM 4.0

DescriptionGitHub Advisory

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, there is a defect in LUT dump/iteration logic affecting CIccCLUT::Iterate() and output produced by CIccMBB::Describe() (via CLUT dumping). This issue has been patched in version 2.3.1.6.

AnalysisAI

Local integrity modification in iccDEV prior to version 2.3.1.6 affects the CIccCLUT::Iterate() function and CLUT dumping output in CIccMBB::Describe(), allowing local attackers without privileges to alter ICC color profile data integrity. The vulnerability requires local access and produces incorrect LUT (Look-Up Table) dump output that could compromise color management workflows relying on accurate profile representation.

Technical ContextAI

iccDEV is the official toolkit maintained by the International Color Consortium for creating and validating ICC color profiles. The vulnerability exists in the LUT (Look-Up Table) iteration and dumping logic within the CLUT (Color Look-Up Table) component of the library. CWE-562 (Return Inside Finally Block) indicates a control flow defect where exception handling or early returns in the LUT iteration mechanism produce corrupted or incorrect output when dumping CLUT data structures via the CIccMBB::Describe() method. This affects downstream tools and applications that depend on iccDEV libraries to read, validate, or serialize ICC profile CLUT data, potentially distributing incorrect color transformation information.

RemediationAI

Vendor-released patch: iccDEV 2.3.1.6 or later. Developers and system administrators using iccDEV should update the library to version 2.3.1.6 to receive the patched CIccCLUT::Iterate() and CLUT dumping logic. The fix is available via the International Color Consortium's GitHub repository (https://github.com/InternationalColorConsortium/iccDEV). Upstream fixes are documented in PR #737 and Issue #704. Workarounds are not applicable; patching is the only remedy. Applications and color management tools built on vulnerable iccDEV versions should be rebuilt and redeployed with the updated library.

More in Iccdev

View all
CVE-2026-21675 CRITICAL POC
9.8 Jan 06

iccDEV ICC color profile library (through 2.3.1) has a use-after-free in CIccXform::Create() when processing hint object

CVE-2026-24412 HIGH POC
8.8 Jan 24

Heap buffer overflow in iccDEV versions 2.3.1.1 and below allows remote code execution through maliciously crafted ICC c

CVE-2026-24406 HIGH POC
8.8 Jan 24

Heap buffer overflow in iccDEV versions 2.3.1.1 and below allows remote code execution when processing maliciously craft

CVE-2026-24405 HIGH POC
8.8 Jan 24

Heap buffer overflow in iccDEV versions 2.3.1.1 and earlier allows remote code execution through maliciously crafted ICC

CVE-2026-21688 HIGH POC
8.8 Jan 07

Type confusion in iccDEV library versions before 2.3.1.2 allows unauthenticated attackers to achieve remote code executi

CVE-2026-21677 HIGH POC
8.8 Jan 06

iccDEV color management library versions 2.3.1 and earlier contain undefined behavior in the CLUT initialization functio

CVE-2026-21485 HIGH POC
8.8 Jan 06

iccDEV ICC color profile libraries versions 2.3.1.1 and earlier suffer from undefined behavior and out-of-memory errors

CVE-2026-22047 HIGH POC
8.8 Jan 07

Heap buffer overflow in iccDEV versions before 2.3.1.2 allows remote code execution when processing malicious ICC color

CVE-2026-21693 HIGH POC
8.8 Jan 07

Type confusion in iccDEV versions before 2.3.1.2 allows attackers to corrupt memory and achieve high-impact outcomes inc

CVE-2026-21692 HIGH POC
8.8 Jan 07

Type confusion in iccDEV versions before 2.3.1.2 allows unauthenticated attackers to achieve remote code execution throu

CVE-2026-21682 HIGH POC
8.8 Jan 07

Heap buffer overflow in iccDEV versions before 2.3.1.2 allows remote code execution when processing malicious ICC color

CVE-2026-21679 HIGH POC
8.8 Jan 07

Heap buffer overflow in iccDEV versions prior to 2.3.1.2 allows remote attackers to execute arbitrary code through the C

Share

CVE-2026-34553 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy