CVE-2026-34533
Undefined Behavior in iccDEV ICC Profile Processing (CIccCalculatorFunc
Publication date: 2026-03-31
Last updated on: 2026-04-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| color | iccdev | to 2.3.1.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-758 | The product uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in iccDEV, a set of libraries and tools for working with ICC color management profiles. Before version 2.3.1.6, a specially crafted ICC profile can cause undefined behavior in the function CIccCalculatorFunc::ApplySequence(). This happens because invalid enum values are loaded for icChannelFuncSignature, leading to a type or enum value confusion during ICC profile processing. The issue is detectable under UBSan as an invalid value load for the enum type.
How can this vulnerability impact me? :
The vulnerability can lead to undefined behavior when processing malicious ICC profiles. According to the CVSS score (6.2), it has a local attack vector with low complexity and no privileges or user interaction required. While it does not impact confidentiality or integrity, it can cause a high impact on availability, potentially leading to crashes or denial of service in applications using the vulnerable iccDEV versions.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by observing Undefined Behavior (UB) reports during ICC profile processing, specifically under UBSan (Undefined Behavior Sanitizer). The issue manifests as a βload of value β¦ not a valid value for type icChannelFuncSignatureβ, indicating invalid enum values being loaded.
To detect this on your system, you would need to run ICC profile processing tools with UBSan enabled and monitor for such UB reports.
No specific commands are provided in the available information.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade iccDEV to version 2.3.1.6 or later, where this issue has been patched.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.