CVE-2026-30980
Received Received - Intake
Stack Overflow in iccDEV CIccBasicStructFactory Causes Crash

Publication date: 2026-03-10

Last updated on: 2026-03-13

Assigner: GitHub, Inc.

Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a stack overflow in CIccBasicStructFactory::CreateStruct() causing uncontrolled recursion/stack exhaustion and crash. This vulnerability is fixed in 2.3.1.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-13
Generated
2026-06-16
AI Q&A
2026-03-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30980
EUVD
EUVD-2026-10719
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
color iccdev to 2.3.1.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-30980 is a stack overflow vulnerability in the iccDEV project, specifically in the function CIccBasicStructFactory::CreateStruct(). This function can enter uncontrolled recursion due to malformed or crafted ICC profile data, causing excessive stack usage and eventually a stack overflow that crashes the program.

The root cause is that the function does not properly check tag sizes before processing, which leads to infinite recursion and stack exhaustion. This vulnerability was discovered through fuzz testing and is fixed in version 2.3.1.5 by adding checks on tag sizes to prevent the infinite loop.

Impact Analysis

This vulnerability can impact you by causing a denial of service (DoS) through application crashes. When exploited, the stack overflow leads to uncontrolled recursion and stack exhaustion, causing the affected program to abort unexpectedly.

The impact is limited to availability, meaning it does not affect confidentiality or integrity of data. The attack requires local access and some user interaction but no special privileges.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the iccDEV tools, particularly the function CIccBasicStructFactory::CreateStruct(), with crafted ICC profile data that triggers uncontrolled recursion and stack overflow.'}, {'type': 'paragraph', 'content': 'Fuzz testing using tools like libFuzzer can be employed to detect the stack overflow, as was done in the original discovery.'}, {'type': 'paragraph', 'content': 'Running the iccDumpProfile tool on suspicious or untrusted ICC profile files may cause the program to crash with an AddressSanitizer error indicating a stack overflow.'}, {'type': 'list_item', 'content': "Use fuzzing tools such as libFuzzer targeting iccDEV's ICC profile parsing functions."}, {'type': 'list_item', 'content': 'Run the command: `iccDumpProfile <profile.icc>` on ICC profiles to check for crashes or stack overflow errors.'}, {'type': 'list_item', 'content': 'Monitor for application crashes with messages like "stack-overflow on address" from AddressSanitizer or similar runtime diagnostics.'}] [3]

Mitigation Strategies

The primary mitigation step is to upgrade the iccDEV package to version 2.3.1.5 or later, where the vulnerability has been fixed.

The fix involves added checks on tag sizes to prevent uncontrolled recursion and stack overflow.

Until the upgrade can be applied, avoid processing untrusted or malformed ICC profile files with vulnerable versions of iccDEV to reduce the risk of triggering the stack overflow.

  • Update iccDEV to version 2.3.1.5 or newer.
  • Restrict or validate ICC profile inputs to prevent malformed data from being processed.
  • Monitor application logs for crashes related to ICC profile processing and address them promptly.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30980. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart