CVE-2026-25503
Type Confusion in iccDEV ICC Profile Parsing Causes DoS
Publication date: 2026-02-03
Last updated on: 2026-02-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| color | iccdev | to 2.3.1.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-704 | The product does not correctly convert an object, resource, or structure from one type to a different type. |
| CWE-843 | The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-25503 is a type confusion vulnerability in the iccDEV library that can lead to denial of service or arbitrary code execution when processing malformed ICC profiles. The vulnerability impacts availability but does not affect confidentiality or integrity directly.
Since the vulnerability does not compromise confidentiality of data or integrity of information, it does not directly violate data protection requirements under standards like GDPR or HIPAA, which primarily focus on protecting personal data privacy and integrity.
However, the denial of service or potential arbitrary code execution could indirectly affect compliance by disrupting availability of systems or services that rely on iccDEV for color profile processing, which may be critical in regulated environments.
Organizations using vulnerable versions of iccDEV should update to version 2.3.1.2 or later to mitigate risks and maintain operational stability, which supports compliance with availability requirements in various standards.
Can you explain this vulnerability to me?
CVE-2026-25503 is a type confusion vulnerability in the iccDEV library, specifically in the function CIccTagEmbeddedHeightImage::Validate(). It occurs when malformed ICC color profiles contain invalid icImageEncodingType values, causing the software to misinterpret data types during profile parsing.
This type confusion leads to undefined behavior such as manipulation of ICC tag tables, offsets, or size fields, which can cause parsing errors or memory corruption in image-processing libraries that use iccDEV.
The vulnerability can be exploited by attackers crafting malicious ICC profiles that trigger these errors, potentially resulting in denial of service or, in some cases, arbitrary code execution when vulnerable native libraries process these profiles.
The issue was patched in iccDEV version 2.3.1.2 by enforcing a consistent 32-bit size for the enumeration used in the validation function, preventing incorrect type interpretation.
How can this vulnerability impact me? :
This vulnerability can impact users by allowing attackers to cause denial of service (DoS) in applications that use the iccDEV library to process ICC color profiles.
In some cases, exploitation may lead to arbitrary code execution, which could compromise the security of the affected system.
The attack requires no privileges but does require user interaction, such as opening or processing a maliciously crafted ICC profile.
The impact includes high availability impact due to potential crashes or service interruptions, and low integrity impact due to possible manipulation of profile metadata.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of CVE-2026-25503 involves identifying malformed ICC profiles that trigger type confusion in the iccDEV library, specifically in the CIccTagEmbeddedHeightImage::Validate() function. A practical approach is to analyze ICC profiles for invalid icImageEncodingType values that cause undefined behavior.
One method is to use the iccDEV toolset to convert suspicious XML ICC profile representations into binary ICC profiles using the command-line tool `iccFromXml`. For example, converting a crafted XML profile that triggers the issue can help detect the vulnerability:
- iccFromXml ub-runtime-error-type-confusion-IccTagBasic_cpp-Line12084.xml foo.icc
If the profile is malformed, this conversion triggers runtime errors or warnings related to invalid icImageEncodingType values, which can be detected by running the tool with sanitizers enabled (such as UndefinedBehaviorSanitizer). Monitoring logs for such errors or warnings can help identify exploitation attempts or vulnerable profiles.
What immediate steps should I take to mitigate this vulnerability?
The primary and immediate mitigation step is to update the iccDEV library to version 2.3.1.2 or later, where this type confusion vulnerability has been patched.
No workarounds are provided, so applying the official patch or upgrading to the fixed version is essential to prevent exploitation.
Additionally, avoid processing untrusted or malformed ICC profiles from unknown sources to reduce the risk of triggering the vulnerability.