CVE-2026-22047
Heap Buffer Overflow in iccDEV ICC Profile Processing Library
Publication date: 2026-01-07
Last updated on: 2026-01-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| iccdev | iccdev | to 2.3.1.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-252 | The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions. |
| CWE-130 | The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a heap-buffer-overflow in the iccDEV library, specifically in the function SIccCalcOp::Describe() within the IccProfLib/IccMpeCalc.cpp file. It affects versions prior to 2.3.1.2 and occurs when processing ICC color profiles, potentially causing memory corruption.
How can this vulnerability impact me? :
The vulnerability can lead to severe impacts including unauthorized disclosure, modification, or destruction of data, as indicated by the high CVSS score (8.8) with high impact on confidentiality, integrity, and availability. It may allow attackers to execute arbitrary code or cause a denial of service when processing malicious ICC color profiles.
What immediate steps should I take to mitigate this vulnerability?
Upgrade the iccDEV library to version 2.3.1.2 or later, as this version contains the patch for the heap-buffer-overflow vulnerability. No known workarounds are available.