CVE-2026-34535
Received Received - Intake
Segmentation Fault in iccDEV ICC Profile Handling Causes Crash

Publication date: 2026-03-31

Last updated on: 2026-04-20

Assigner: GitHub, Inc.

Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, a crafted ICC profile can trigger a segmentation fault (SEGV) in CIccTagArray::Cleanup(). The issue is observable under UBSan/ASan as misaligned member access / misaligned pointer loads followed by an invalid read leading to process crash when running iccRoundTrip on a malicious profile. This issue has been patched in version 2.3.1.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-20
Generated
2026-06-16
AI Q&A
2026-04-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34535
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
color iccdev to 2.3.1.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in iccDEV, a set of libraries and tools for working with ICC color management profiles. Before version 2.3.1.6, a specially crafted ICC profile can cause a segmentation fault (SEGV) in the function CIccTagArray::Cleanup(). This happens due to misaligned member access or misaligned pointer loads, which leads to an invalid memory read and ultimately causes the process to crash when running the iccRoundTrip tool on a malicious profile.

Impact Analysis

The vulnerability can cause a denial of service by crashing the process that handles ICC profiles, specifically when using the iccRoundTrip tool. This crash results from invalid memory access triggered by a maliciously crafted ICC profile. While it does not lead to data confidentiality or integrity loss, it can disrupt normal operations by causing unexpected process termination.

Compliance Impact

The vulnerability CVE-2026-34535 causes a local denial of service by crashing the process handling ICC color profiles due to a segmentation fault. It does not impact confidentiality or integrity of data, as indicated by the CVSS metrics (Confidentiality: None, Integrity: None).

Because it does not lead to unauthorized data access or modification, this vulnerability is unlikely to directly affect compliance with data protection standards and regulations such as GDPR or HIPAA, which primarily focus on protecting personal data confidentiality and integrity.

However, the denial of service caused by this vulnerability could impact system availability, which may be a consideration under some regulatory frameworks depending on the context of use.

Detection Guidance

This vulnerability manifests as a segmentation fault (SEGV) in the iccDEV tool iccRoundTrip when processing a specially crafted ICC profile. Detection involves running iccRoundTrip on suspicious or untrusted ICC profiles and observing if the process crashes.

Using sanitizers such as Undefined Behavior Sanitizer (UBSan) and Address Sanitizer (ASan) during testing can help detect misaligned pointer accesses and invalid reads that trigger the crash.

A practical detection approach is to execute the following command on a potentially malicious ICC profile:

  • iccRoundTrip suspicious_profile.icc

If the process crashes with segmentation fault or sanitizer errors related to misaligned pointer loads or invalid memory reads, it indicates the presence of the vulnerability.

For more detailed debugging, running iccRoundTrip under sanitizers can be done by compiling iccDEV with UBSan and ASan enabled and then executing the tool on the profile to observe sanitizer reports.

Mitigation Strategies

The vulnerability has been patched in iccDEV version 2.3.1.6. To mitigate this vulnerability, you should upgrade your iccDEV installation to version 2.3.1.6 or later.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34535. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart