Skip to main content

Little CMS (lcms2) CVE-2026-42798

| EUVDEUVD-2026-26351 MEDIUM
Integer Overflow or Wraparound (CWE-190)
2026-04-30 mitre
4.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.0 MEDIUM
AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
SUSE
3.1 LOW
AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
Low

Lifecycle Timeline

7
Patch released
Apr 30, 2026 - 15:48 nvd
Patch available
Patch available
Apr 30, 2026 - 09:01 EUVD
Source Code Evidence Fetched
Apr 30, 2026 - 07:45 vuln.today
Analysis Generated
Apr 30, 2026 - 07:45 vuln.today
EUVD ID Assigned
Apr 30, 2026 - 07:15 euvd
EUVD-2026-26351
Analysis Generated
Apr 30, 2026 - 07:15 vuln.today
CVE Published
Apr 30, 2026 - 06:34 nvd
MEDIUM 4.0

DescriptionCVE.org

Little CMS (lcms2) 2.16 through 2.18 before 2.19 has an integer overflow in ParseCube in cmscgats.c.

AnalysisAI

Integer overflow in Little CMS color engine versions 2.16 through 2.18 allows local attackers to trigger integer overflow in the ParseCube function when processing specially crafted color lookup table (LUT) input files, potentially resulting in buffer overflow and denial of service or information disclosure. The vulnerability affects the CGATS parser used for loading ICC color profiles and LUT data. No public exploit code identified at time of analysis, though upstream fix is available in version 2.19.

Technical ContextAI

Little CMS (lcms2) is a color management engine commonly used in image processing applications and document viewers. The ParseCube function in cmscgats.c processes CGATS (Color And Appearance Technology Specification) file format color lookup tables (LUTs). When parsing a cube LUT, the code calculates the total number of nodes as lut_size × lut_size × lut_size without validating that lut_size exceeds safe bounds. On 32-bit systems or with large lut_size values, this multiplication can wrap around, causing integer overflow (CWE-190). The overflow occurs during memory allocation or buffer operations, potentially leading to heap corruption. The vulnerability is rooted in insufficient input validation before arithmetic operations on untrusted data from color profile files.

RemediationAI

Upgrade lcms2 to version 2.19 or later, which includes input validation in ParseCube that rejects LUT sizes exceeding 65 (matching professional tool limits). For applications embedding lcms2, rebuild against the patched library version. If immediate upgrade is not feasible, mitigate by restricting parsing of ICC profiles and CGATS files to trusted sources: disable automatic ICC profile loading from untrusted documents, validate file sources before processing, and consider sandboxing color profile processing in applications that handle user-supplied documents. These controls trade convenience (automatic color management) for security; assess whether your workflow requires processing profiles from external sources. The upstream fix is confirmed in commit 6a686019825a89b715d16671f18d049523354176 and GitHub release comparison lcms2.18...lcms2.19.

Vendor StatusVendor

SUSE

Severity: Low
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.3 Fixed
SUSE Linux Enterprise Micro 5.4 Fixed
SUSE Linux Enterprise Micro 5.5 Fixed

Share

CVE-2026-42798 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy