Skip to main content

Suse CVE-2026-41254

| EUVDEUVD-2026-23668 MEDIUM
Incorrect Behavior Order (CWE-696)
2026-04-18 mitre GHSA-hc77-37fq-x324
4.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.0 MEDIUM
AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
SUSE
7.5 HIGH
AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
Red Hat
6.1 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Apr 18, 2026 - 07:14 vuln.today
EUVD ID Assigned
Apr 18, 2026 - 07:00 euvd
EUVD-2026-23668
Analysis Generated
Apr 18, 2026 - 07:00 vuln.today
CVE Published
Apr 18, 2026 - 06:43 nvd
MEDIUM 4.0

DescriptionCVE.org

Little CMS (lcms2) through 2.18 has an integer overflow in CubeSize in cmslut.c because the overflow check is performed after the multiplication.

AnalysisAI

Integer overflow in Little CMS (lcms2) version 2.18 and earlier allows local attackers to trigger a buffer overflow via CubeSize calculation in cmslut.c, where the overflow check occurs after rather than before multiplication. This can result in memory corruption leading to information disclosure or denial of service with low complexity requirements. No active exploitation in CISA KEV confirmed at time of analysis, but proof-of-concept technical details are publicly available.

Technical ContextAI

Little CMS (lcms2) is a widely-used open-source color management library that processes ICC color profiles and LUT (lookup table) data. The vulnerability exists in the CubeSize calculation logic within cmslut.c, where an integer multiplication operation can overflow before validation checks are applied. The affected CPE (cpe:2.3:a:littlecms:little_cms_color_engine) indicates the Little CMS Color Engine component across affected versions. CWE-696 (Incorrect Behavior Order: Validation Before Use) identifies the root cause: the code multiplies dimensions without first verifying that the result will fit within integer bounds, then checks for overflow on the already-overflowed value. This is a classic order-of-operations vulnerability where the check is rendered ineffective due to two's-complement wraparound. The vulnerability manifests in LUT construction, typically triggered when processing specially-crafted ICC color profile files that specify large dimensional values.

RemediationAI

Upgrade Little CMS (lcms2) to a version incorporating commits da6110b1d14abc394633a388209abd5ebedd7ab0 and e0641b1828d0a1af5ecb1b11fe22f24fceefd4bc, which move the overflow check before the multiplication operation. For packaged installations, update via your distribution's package manager (apt-get, yum, brew, or equivalent) when patched versions become available - as of now, verify that your distribution has released a patched version. For applications directly embedding lcms2, rebuild with the fixed source. If immediate patching is not possible, restrict processing of ICC color profiles to trusted sources only: disable automatic profile loading from untrusted user uploads, validate profile provenance cryptographically, or sandbox color profile processing in a separate process with limited privileges. Note that restricting profile sources reduces exploit surface but may limit legitimate color management functionality depending on application requirements. Monitor the GitHub repository (https://github.com/mm2/Little-CMS) and the GHSA advisory for patched release versions.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.3 Fixed
SUSE Linux Enterprise Micro 5.4 Fixed
SUSE Linux Enterprise Micro 5.5 Fixed

Share

CVE-2026-41254 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy