CVE-2026-21485

iccDEV Undefined Behavior (UB) and Out of Memory in CIccProfile::LoadTag()

CVSS 8.8 HIGHEPSS 0.3%CWE-125 CWE-1284 CWE-190 CWE-20 CWE-400 CWE-476 CWE-787

In short

iccDEV color profile library versions 2.3.1.1 and earlier have memory handling bugs that can cause crashes or unpredictable behavior when processing malformed ICC profile files. These flaws could be exploited by attackers distributing specially crafted color profile files.

Technical detail

CIccProfile::LoadTag() in iccDEV ≤2.3.1.1 contains out-of-bounds read conditions (CWE-125) and integer overflow vulnerabilities (CWE-190) leading to undefined behavior and memory exhaustion. Attack vector involves supplying maliciously crafted ICC profile files; no authentication required. Impact includes denial of service and potential information disclosure.

Summary generated and translated by AI from the official description.

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below are prone to have Undefined Behavior (UB) and Out of Memory errors. This issue is fixed in version 2.3.1.2.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

InternationalColorConsortium · iccDEV

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/InternationalColorConsortium/iccDEV/commit/c136aac51d25cbb4d9db63f071edad4f088843df https://github.com/InternationalColorConsortium/iccDEV/issues/340 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-chp2-4gv5-2432