CVE-2026-30978
Received Received - Intake
Heap-Use-After-Free in iccDEV CIccCmm Causes Crash

Publication date: 2026-03-10

Last updated on: 2026-03-13

Assigner: GitHub, Inc.

Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a heap-use-after-free in CIccCmm::AddXform() causing invalid vptr dereference and crash. This vulnerability is fixed in 2.3.1.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-13
Generated
2026-06-16
AI Q&A
2026-03-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30978
EUVD
EUVD-2026-10715
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
color iccdev to 2.3.1.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
CWE-825 The product dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid.
CWE-672 The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-30978 is a heap-use-after-free vulnerability in the International Color Consortium's iccDEV project, specifically in the function CIccCmm::AddXform(). This bug occurs when a CIccProfile object is freed but later accessed again, causing an invalid virtual pointer dereference and leading to a program crash."}, {'type': 'paragraph', 'content': 'The issue arises during the creation and addition of color transform objects that rely on CIccProfile instances. Improper handling of these objects causes the program to access memory that has already been freed, resulting in undefined behavior.'}, {'type': 'paragraph', 'content': 'This vulnerability was discovered through fuzz testing and can cause crashes or potential exploitation due to use of freed memory.'}] [1, 4]

Impact Analysis

This vulnerability can lead to program crashes due to invalid memory access, which affects the stability and availability of applications using the iccDEV library.

Because the vulnerability has a high impact on confidentiality, integrity, and availability, it could potentially be exploited to execute arbitrary code or cause denial of service.

Exploitation requires local access and user interaction, but no special privileges are needed, making it a significant security risk for affected systems.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves a heap-use-after-free bug in the function CIccCmm::AddXform() of the iccDEV library, which can cause crashes due to invalid memory access. Detection can be performed by running fuzz testing tools such as libFuzzer against the iccDEV library, specifically targeting the handling of ICC profile objects.

Additionally, using AddressSanitizer (ASan) during testing can help detect heap-use-after-free errors by reporting invalid memory accesses in the CIccCmm::AddXform() function.

A practical approach to detect the issue is to run the iccApplyProfiles tool with specially crafted ICC profile files (such as the proof-of-concept file huaf-CIccCmm-AddXform-IccCmm_cpp-Line8320.icc) and monitor for crashes or sanitizer reports.

  • Use AddressSanitizer-enabled build of iccDEV and run: ./iccApplyProfiles huaf-CIccCmm-AddXform-IccCmm_cpp-Line8320.icc test_8x8.tif
  • Run fuzz testing with libFuzzer targeting the iccDEV library to identify heap-use-after-free issues.
Mitigation Strategies

The primary and recommended mitigation for this vulnerability is to update the iccDEV library to version 2.3.1.5 or later, where the heap-use-after-free bug in CIccCmm::AddXform() has been fixed.

No other workarounds or mitigations are known or provided aside from applying the official patch.

Updating can be done by installing the latest release via supported package managers or pulling the latest Docker image.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30978. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart