CVE-2026-34537
Undefined Behavior in iccDEV ICC Profile Enum Handling
Publication date: 2026-03-31
Last updated on: 2026-04-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| color | iccdev | to 2.3.1.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-758 | The product uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in iccDEV involves undefined behavior triggered by crafted ICC profiles, leading to potential application crashes or denial of service due to invalid enum values during ICC profile processing.
However, there is no information provided about any impact on confidentiality, integrity, or availability of personal or sensitive data that would directly affect compliance with standards such as GDPR or HIPAA.
Therefore, based on the available information, this vulnerability does not explicitly affect compliance with common standards and regulations like GDPR or HIPAA.
Can you explain this vulnerability to me?
This vulnerability exists in iccDEV, a set of libraries and tools for handling ICC color management profiles. Before version 2.3.1.6, a specially crafted ICC profile could cause undefined behavior in the function CIccOpDefEnvVar::Exec(). This happens because invalid enum values are loaded for icSigCmmEnvVar, which is not expected by the program. Under UBSan (Undefined Behavior Sanitizer), this manifests as an error indicating that an invalid enum or type value was used during ICC profile processing. The issue has been fixed in version 2.3.1.6.
How can this vulnerability impact me? :
The vulnerability can lead to undefined behavior when processing maliciously crafted ICC profiles. According to the CVSS score (6.2), the impact is primarily on availability (A:H), meaning it could cause crashes or denial of service in applications using the vulnerable iccDEV versions. There is no impact on confidentiality or integrity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by observing Undefined Behavior (UB) reports under UBSan (Undefined Behavior Sanitizer) when processing ICC profiles. Specifically, the issue manifests as a βload of value β¦ not a valid value for type icSigCmmEnvVarβ error, indicating that an invalid enum or type value is being consumed during ICC profile processing.
To detect this on your system, you would need to run the ICC profile processing tools with UBSan enabled and monitor for such errors. There are no specific commands provided in the available information.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the iccDEV libraries and tools to version 2.3.1.6 or later, where this vulnerability has been patched.