CVE-2026-34533
Received Received - Intake
Undefined Behavior in iccDEV ICC Profile Processing (CIccCalculatorFunc

Publication date: 2026-03-31

Last updated on: 2026-04-20

Assigner: GitHub, Inc.

Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, a crafted ICC profile can trigger Undefined Behavior (UB) in CIccCalculatorFunc::ApplySequence() due to invalid enum values being loaded for icChannelFuncSignature. The issue is observable under UBSan as a β€œload of value … not a valid value for type icChannelFuncSignature”, indicating a type/enum value confusion scenario during ICC profile processing. This issue has been patched in version 2.3.1.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-20
Generated
2026-06-16
AI Q&A
2026-04-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34533
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
color iccdev to 2.3.1.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-758 The product uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in iccDEV, a set of libraries and tools for working with ICC color management profiles. Before version 2.3.1.6, a specially crafted ICC profile can cause undefined behavior in the function CIccCalculatorFunc::ApplySequence(). This happens because invalid enum values are loaded for icChannelFuncSignature, leading to a type or enum value confusion during ICC profile processing. The issue is detectable under UBSan as an invalid value load for the enum type.

Impact Analysis

The vulnerability can lead to undefined behavior when processing malicious ICC profiles. According to the CVSS score (6.2), it has a local attack vector with low complexity and no privileges or user interaction required. While it does not impact confidentiality or integrity, it can cause a high impact on availability, potentially leading to crashes or denial of service in applications using the vulnerable iccDEV versions.

Detection Guidance

This vulnerability can be detected by observing Undefined Behavior (UB) reports during ICC profile processing, specifically under UBSan (Undefined Behavior Sanitizer). The issue manifests as a β€œload of value … not a valid value for type icChannelFuncSignature”, indicating invalid enum values being loaded.

To detect this on your system, you would need to run ICC profile processing tools with UBSan enabled and monitor for such UB reports.

No specific commands are provided in the available information.

Mitigation Strategies

The immediate mitigation step is to upgrade iccDEV to version 2.3.1.6 or later, where this issue has been patched.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34533. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart