CVE-2026-31794
Segmentation Fault in iccDEV CIccCLUT Causes Denial of Service
Publication date: 2026-03-10
Last updated on: 2026-03-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| color | iccdev | to 2.3.1.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
| CWE-703 | The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-31794 is a vulnerability in the iccDEV project related to a segmentation fault occurring in the function CIccCLUT::Interp3d(). This function performs 3D interpolation within a color lookup table (CLUT) used for ICC color profile processing. The issue arises from improper handling and validation of input data, which leads to an out-of-bounds memory read (wild pointer read). When a specially crafted malicious ICC profile is processed, it triggers an invalid memory access causing the application to crash.
The root cause is the lack of proper clipping checks before dereferencing pointers in the interpolation logic, which results in reading invalid memory addresses and causing a denial of service.
How can this vulnerability impact me? :
This vulnerability can cause a denial of service (DoS) by crashing applications that use the iccDEV libraries to process ICC color profiles. Specifically, if an application processes a maliciously crafted ICC profile, it may trigger a segmentation fault leading to an unexpected crash.
The impact is limited to availability, with no effect on confidentiality or integrity. Exploitation requires local access with low attack complexity and some user interaction.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by processing ICC profile files with the vulnerable iccDEV tools, such as iccApplyProfiles, and observing if a segmentation fault occurs during execution.
Fuzz testing with specially crafted ICC profile files (e.g., segv-CIccCLUT-Interp3d-IccTagLut_cpp-Line2741.icc) can trigger the crash and help identify the vulnerability.
Using AddressSanitizer (ASAN) during execution of iccApplyProfiles can detect invalid memory accesses related to this vulnerability.
- Run the vulnerable iccApplyProfiles tool with a crafted ICC profile to check for crashes: `./iccApplyProfiles segv-CIccCLUT-Interp3d-IccTagLut_cpp-Line2741.icc`
- Use AddressSanitizer-enabled build of iccApplyProfiles to detect wild pointer reads and segmentation faults.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the iccDEV package to version 2.3.1.5 or later, where the vulnerability has been fixed.
Avoid processing untrusted or maliciously crafted ICC profile files with vulnerable versions of iccDEV tools to prevent denial of service crashes.
No workarounds are provided, so applying the official patch or upgrade is necessary to fully mitigate the issue.