CVE-2026-25503
Unknown Unknown - Not Provided
Type Confusion in iccDEV ICC Profile Parsing Causes DoS

Publication date: 2026-02-03

Last updated on: 2026-02-10

Assigner: GitHub, Inc.

Description
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, type confusion allowed malformed ICC profiles to trigger undefined behavior when loading invalid icImageEncodingType values causing denial of service. This issue has been patched in version 2.3.1.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-03
Last Modified
2026-02-10
Generated
2026-06-16
AI Q&A
2026-02-03
EPSS Evaluated
2026-06-14
NVD
CVE-2026-25503
EUVD
EUVD-2026-5192
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
color iccdev to 2.3.1.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-704 The product does not correctly convert an object, resource, or structure from one type to a different type.
CWE-843 The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-25503 is a type confusion vulnerability in the iccDEV library, specifically in the function CIccTagEmbeddedHeightImage::Validate(). It occurs when malformed ICC color profiles contain invalid icImageEncodingType values, causing the software to misinterpret data types during profile parsing.

This type confusion leads to undefined behavior such as manipulation of ICC tag tables, offsets, or size fields, which can cause parsing errors or memory corruption in image-processing libraries that use iccDEV.

The vulnerability can be exploited by attackers crafting malicious ICC profiles that trigger these errors, potentially resulting in denial of service or, in some cases, arbitrary code execution when vulnerable native libraries process these profiles.

The issue was patched in iccDEV version 2.3.1.2 by enforcing a consistent 32-bit size for the enumeration used in the validation function, preventing incorrect type interpretation.

Compliance Impact

CVE-2026-25503 is a type confusion vulnerability in the iccDEV library that can lead to denial of service or arbitrary code execution when processing malformed ICC profiles. The vulnerability impacts availability but does not affect confidentiality or integrity directly.

Since the vulnerability does not compromise confidentiality of data or integrity of information, it does not directly violate data protection requirements under standards like GDPR or HIPAA, which primarily focus on protecting personal data privacy and integrity.

However, the denial of service or potential arbitrary code execution could indirectly affect compliance by disrupting availability of systems or services that rely on iccDEV for color profile processing, which may be critical in regulated environments.

Organizations using vulnerable versions of iccDEV should update to version 2.3.1.2 or later to mitigate risks and maintain operational stability, which supports compliance with availability requirements in various standards.

Impact Analysis

This vulnerability can impact users by allowing attackers to cause denial of service (DoS) in applications that use the iccDEV library to process ICC color profiles.

In some cases, exploitation may lead to arbitrary code execution, which could compromise the security of the affected system.

The attack requires no privileges but does require user interaction, such as opening or processing a maliciously crafted ICC profile.

The impact includes high availability impact due to potential crashes or service interruptions, and low integrity impact due to possible manipulation of profile metadata.

Detection Guidance

Detection of CVE-2026-25503 involves identifying malformed ICC profiles that trigger type confusion in the iccDEV library, specifically in the CIccTagEmbeddedHeightImage::Validate() function. A practical approach is to analyze ICC profiles for invalid icImageEncodingType values that cause undefined behavior.

One method is to use the iccDEV toolset to convert suspicious XML ICC profile representations into binary ICC profiles using the command-line tool `iccFromXml`. For example, converting a crafted XML profile that triggers the issue can help detect the vulnerability:

  • iccFromXml ub-runtime-error-type-confusion-IccTagBasic_cpp-Line12084.xml foo.icc

If the profile is malformed, this conversion triggers runtime errors or warnings related to invalid icImageEncodingType values, which can be detected by running the tool with sanitizers enabled (such as UndefinedBehaviorSanitizer). Monitoring logs for such errors or warnings can help identify exploitation attempts or vulnerable profiles.

Mitigation Strategies

The primary and immediate mitigation step is to update the iccDEV library to version 2.3.1.2 or later, where this type confusion vulnerability has been patched.

No workarounds are provided, so applying the official patch or upgrading to the fixed version is essential to prevent exploitation.

Additionally, avoid processing untrusted or malformed ICC profiles from unknown sources to reduce the risk of triggering the vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25503. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart