CVE-2026-31793
Received Received - Intake
Segmentation Fault in iccDEV ICC Profile Library Causes DoS

Publication date: 2026-03-10

Last updated on: 2026-03-13

Assigner: GitHub, Inc.

Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a segmentation fault due to invalid/wild pointer read in CIccCalculatorFunc::ApplySequence() causing denial of service. This vulnerability is fixed in 2.3.1.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-13
Generated
2026-06-16
AI Q&A
2026-03-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31793
EUVD
EUVD-2026-10736
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
color iccdev to 2.3.1.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-703 The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-31793 is a vulnerability in the iccDEV project, specifically in the function CIccCalculatorFunc::ApplySequence(). It causes a segmentation fault due to an invalid or wild pointer read, which leads to a denial of service by crashing the affected application.

The fault occurs when processing ICC color management profiles, triggered by malformed or specially crafted ICC profile files. The root cause involves improper handling of data structures, integer overflow, and out-of-bounds memory access during the application of ICC profile sequences.

This vulnerability was fixed in version 2.3.1.5 by adding checks to prevent integer overflow and validating input sizes to avoid invalid memory access.

Impact Analysis

This vulnerability can cause a denial of service by crashing applications that use the iccDEV library to process ICC color profiles.

An attacker with local access and the ability to provide a specially crafted ICC profile file can trigger a segmentation fault, causing the application to abort unexpectedly.

There is no impact on confidentiality or integrity, but the availability of the affected application is highly impacted.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by reproducing the segmentation fault triggered by processing a specially crafted ICC profile file using the iccDEV tools.

A proof-of-concept involves using the `iccApplyProfiles` tool with a malicious ICC profile file that causes a segmentation fault in the function `CIccCalculatorFunc::ApplySequence()`.

An example command sequence to detect the vulnerability is:

  • Download the crafted ICC profile file (e.g., `hbo-CIccCalculatorFunc-ApplySequence-IccMpeCalc_cpp-Line3715.icc`).
  • Use the `iccApplyProfiles` tool to apply the ICC profile to an image, such as a base64-decoded TIFF image.
  • Observe if the application crashes with a segmentation fault, indicating the presence of the vulnerability.

The crash is detected by memory error tools like AddressSanitizer, which reports invalid memory access at the faulting code location.

Mitigation Strategies

The immediate mitigation step is to upgrade the iccDEV package to version 2.3.1.5 or later, where the vulnerability has been fixed.

The fix addresses the root cause by adding checks to prevent integer overflow and out-of-bounds memory access in the `ApplySequence()` function.

No workarounds are provided, so applying the official patch or upgrading to the fixed version is necessary to prevent denial of service.

Additionally, avoid processing untrusted or malformed ICC profiles until the update is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31793. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart