CVE-2026-22255
Heap Buffer Overflow in iccDEV CIccCLUT::Init() Function
Publication date: 2026-01-08
Last updated on: 2026-01-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| international_color_consortium | iccdev | to 2.3.1.2 (exc) |
| international_color_consortium | iccdev | 2.3.1.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-252 | The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions. |
| CWE-130 | The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22255 is a heap-buffer-overflow vulnerability in the iccDEV library, specifically in the function CIccCLUT::Init() within the file IccProfLib/IccTagLut.cpp. The issue occurs when the size of the gridpoints array does not match the expected number of input channels during ICC color profile processing, causing out-of-bounds memory access. This can lead to memory corruption or crashes. The vulnerability was fixed by adding validation checks to ensure the gridpoints array size is equal to or greater than the expected inputs before proceeding, preventing the overflow. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can have a high impact, as exploitation allows an attacker to cause heap buffer overflow leading to potential data disclosure, data modification, or denial of service (crashes or service disruption). The CVSS score is 8.8, indicating high severity. The attack can be performed remotely over the network without privileges but requires some user interaction. Users processing ICC color profiles with vulnerable versions of iccDEV are at risk. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to parse malformed ICC profile XML files where the number of GridPoints and InputChannels do not match, which triggers error messages such as "The number of GridPoints and InputChannels do not match" and causes parsing failures. Detection can also be aided by using tools like AddressSanitizer to identify heap-buffer-overflow errors during ICC profile processing, especially in the function CIccCLUT::Init(). Specific commands are not provided in the resources, but running the iccDEV library's ICC profile parsing on crafted malformed XML profiles or using AddressSanitizer during testing can help detect the issue. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the iccDEV library to version 2.3.1.2 or later, where the heap-buffer-overflow vulnerability in CIccCLUT::Init() has been patched by adding validation checks to ensure the size of the gridpoints array matches the expected input channels. No workarounds are available, so upgrading to the fixed version is essential to prevent exploitation. [2, 1]