CVE-2026-31793
Segmentation Fault in iccDEV ICC Profile Library Causes DoS
Publication date: 2026-03-10
Last updated on: 2026-03-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| color | iccdev | to 2.3.1.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
| CWE-703 | The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-31793 is a vulnerability in the iccDEV project, specifically in the function CIccCalculatorFunc::ApplySequence(). It causes a segmentation fault due to an invalid or wild pointer read, which leads to a denial of service by crashing the affected application.
The fault occurs when processing ICC color management profiles, triggered by malformed or specially crafted ICC profile files. The root cause involves improper handling of data structures, integer overflow, and out-of-bounds memory access during the application of ICC profile sequences.
This vulnerability was fixed in version 2.3.1.5 by adding checks to prevent integer overflow and validating input sizes to avoid invalid memory access.
How can this vulnerability impact me? :
This vulnerability can cause a denial of service by crashing applications that use the iccDEV library to process ICC color profiles.
An attacker with local access and the ability to provide a specially crafted ICC profile file can trigger a segmentation fault, causing the application to abort unexpectedly.
There is no impact on confidentiality or integrity, but the availability of the affected application is highly impacted.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by reproducing the segmentation fault triggered by processing a specially crafted ICC profile file using the iccDEV tools.
A proof-of-concept involves using the `iccApplyProfiles` tool with a malicious ICC profile file that causes a segmentation fault in the function `CIccCalculatorFunc::ApplySequence()`.
An example command sequence to detect the vulnerability is:
- Download the crafted ICC profile file (e.g., `hbo-CIccCalculatorFunc-ApplySequence-IccMpeCalc_cpp-Line3715.icc`).
- Use the `iccApplyProfiles` tool to apply the ICC profile to an image, such as a base64-decoded TIFF image.
- Observe if the application crashes with a segmentation fault, indicating the presence of the vulnerability.
The crash is detected by memory error tools like AddressSanitizer, which reports invalid memory access at the faulting code location.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the iccDEV package to version 2.3.1.5 or later, where the vulnerability has been fixed.
The fix addresses the root cause by adding checks to prevent integer overflow and out-of-bounds memory access in the `ApplySequence()` function.
No workarounds are provided, so applying the official patch or upgrading to the fixed version is necessary to prevent denial of service.
Additionally, avoid processing untrusted or malformed ICC profiles until the update is applied.