CVE-2026-30978
Heap-Use-After-Free in iccDEV CIccCmm Causes Crash
Publication date: 2026-03-10
Last updated on: 2026-03-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| color | iccdev | to 2.3.1.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-672 | The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked. |
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
| CWE-825 | The product dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-30978 is a heap-use-after-free vulnerability in the International Color Consortium's iccDEV project, specifically in the function CIccCmm::AddXform(). This bug occurs when a CIccProfile object is freed but later accessed again, causing an invalid virtual pointer dereference and leading to a program crash."}, {'type': 'paragraph', 'content': 'The issue arises during the creation and addition of color transform objects that rely on CIccProfile instances. Improper handling of these objects causes the program to access memory that has already been freed, resulting in undefined behavior.'}, {'type': 'paragraph', 'content': 'This vulnerability was discovered through fuzz testing and can cause crashes or potential exploitation due to use of freed memory.'}] [1, 4]
How can this vulnerability impact me? :
This vulnerability can lead to program crashes due to invalid memory access, which affects the stability and availability of applications using the iccDEV library.
Because the vulnerability has a high impact on confidentiality, integrity, and availability, it could potentially be exploited to execute arbitrary code or cause denial of service.
Exploitation requires local access and user interaction, but no special privileges are needed, making it a significant security risk for affected systems.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a heap-use-after-free bug in the function CIccCmm::AddXform() of the iccDEV library, which can cause crashes due to invalid memory access. Detection can be performed by running fuzz testing tools such as libFuzzer against the iccDEV library, specifically targeting the handling of ICC profile objects.
Additionally, using AddressSanitizer (ASan) during testing can help detect heap-use-after-free errors by reporting invalid memory accesses in the CIccCmm::AddXform() function.
A practical approach to detect the issue is to run the iccApplyProfiles tool with specially crafted ICC profile files (such as the proof-of-concept file huaf-CIccCmm-AddXform-IccCmm_cpp-Line8320.icc) and monitor for crashes or sanitizer reports.
- Use AddressSanitizer-enabled build of iccDEV and run: ./iccApplyProfiles huaf-CIccCmm-AddXform-IccCmm_cpp-Line8320.icc test_8x8.tif
- Run fuzz testing with libFuzzer targeting the iccDEV library to identify heap-use-after-free issues.
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended mitigation for this vulnerability is to update the iccDEV library to version 2.3.1.5 or later, where the heap-use-after-free bug in CIccCmm::AddXform() has been fixed.
No other workarounds or mitigations are known or provided aside from applying the official patch.
Updating can be done by installing the latest release via supported package managers or pulling the latest Docker image.