CVE-2026-25634
Stack Buffer Overlap Vulnerability in iccDEV Color Management Library
Publication date: 2026-02-06
Last updated on: 2026-02-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| color | iccdev | to 2.3.1.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-628 | The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses. |
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
| CWE-123 | Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow. |
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-682 | The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-25634 is a high-severity vulnerability in the iccDEV library, specifically in the function CIccTagMultiProcessElement::Apply(). The issue arises because the function uses memcpy to copy data between two stack buffers, SrcPixel and DestPixel, whose memory regions overlap. This overlap occurs due to improper validation of the size parameter controlling the copy, which is derived from the ICC profile's input channel count."}, {'type': 'paragraph', 'content': 'Because the source and destination buffers overlap during the memcpy operation, this can lead to undefined behavior such as memory corruption. The vulnerability stems from the lack of checks ensuring that the source and destination buffers do not overlap before copying.'}, {'type': 'paragraph', 'content': 'The vulnerability was fixed in version 2.3.1.4 by adding validation of channel counts before applying the color transform, relocating these checks to an earlier stage to catch invalid configurations, and returning errors instead of proceeding with unsafe memory operations.'}] [1, 2, 5]
How can this vulnerability impact me? :
This vulnerability can lead to memory corruption due to overlapping memcpy operations between stack buffers when processing ICC color profiles. Exploiting this flaw can cause denial of service by crashing the application or potentially enable arbitrary code execution within the vulnerable native library.
Attackers can craft malicious ICC profiles with manipulated tag tables, offsets, or size fields to trigger this vulnerability. Although the attacker cannot control the destination pointer, they can influence the size parameter, causing overlapping memory regions during the copy.
The impact includes high severity effects on confidentiality, integrity, and availability of the affected system, as indicated by the CVSS score of 7.8. Users processing ICC profiles with vulnerable versions of iccDEV are at risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of CVE-2026-25634 involves identifying the unsafe memcpy operation in the CIccTagMultiProcessElement::Apply() function where SrcPixel and DestPixel stack buffers overlap. This vulnerability can be detected by running the iccDEV library with AddressSanitizer and UndefinedBehaviorSanitizer enabled, which can catch memory overlaps and undefined behavior during execution.
A practical approach is to use Clang or GCC with sanitizers enabled to compile the iccDEV project and then run tests or processing of ICC profiles, especially crafted or suspicious ones, to trigger the vulnerability detection.
Example commands to detect the issue might include:
- Compile iccDEV with sanitizers: `clang++ -fsanitize=address,undefined -g -o iccdev_test IccTagMPE.cpp ...`
- Run the iccDEV test or profile application with a proof-of-concept ICC or TIFF file that triggers the overlap: `./iccdev_test apply-profile suspicious_profile.icc`
- Monitor the output for AddressSanitizer reports indicating memcpy parameter overlap or memory corruption.
Additionally, reviewing logs or crash reports for memory corruption or segmentation faults during ICC profile processing can help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the iccDEV library to version 2.3.1.4 or later, where the vulnerability has been fixed by validating channel counts and preventing unsafe memcpy operations with overlapping buffers.
Until the upgrade can be applied, avoid processing untrusted or malformed ICC profiles that could exploit this vulnerability.
Implement input validation and sanitization on ICC profile data before processing to reduce the risk of triggering the vulnerability.
If possible, run the iccDEV processing in a sandboxed or restricted environment to limit the impact of potential exploitation.
Monitor for updates and security advisories from the iccDEV project and apply patches promptly.