CVE-2026-34537
Received Received - Intake
Undefined Behavior in iccDEV ICC Profile Enum Handling

Publication date: 2026-03-31

Last updated on: 2026-04-20

Assigner: GitHub, Inc.

Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, a crafted ICC profile can trigger Undefined Behavior (UB) in CIccOpDefEnvVar::Exec() due to invalid enum values being loaded for icSigCmmEnvVar. The issue is observable under UBSan as a β€œload of value … not a valid value for type icSigCmmEnvVar”, indicating an invalid enum/type value being consumed during ICC profile processing. This issue has been patched in version 2.3.1.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-20
Generated
2026-06-16
AI Q&A
2026-04-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34537
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
color iccdev to 2.3.1.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-758 The product uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in iccDEV, a set of libraries and tools for handling ICC color management profiles. Before version 2.3.1.6, a specially crafted ICC profile could cause undefined behavior in the function CIccOpDefEnvVar::Exec(). This happens because invalid enum values are loaded for icSigCmmEnvVar, which is not expected by the program. Under UBSan (Undefined Behavior Sanitizer), this manifests as an error indicating that an invalid enum or type value was used during ICC profile processing. The issue has been fixed in version 2.3.1.6.

Impact Analysis

The vulnerability can lead to undefined behavior when processing maliciously crafted ICC profiles. According to the CVSS score (6.2), the impact is primarily on availability (A:H), meaning it could cause crashes or denial of service in applications using the vulnerable iccDEV versions. There is no impact on confidentiality or integrity.

Detection Guidance

This vulnerability can be detected by observing Undefined Behavior (UB) reports under UBSan (Undefined Behavior Sanitizer) when processing ICC profiles. Specifically, the issue manifests as a β€œload of value … not a valid value for type icSigCmmEnvVar” error, indicating that an invalid enum or type value is being consumed during ICC profile processing.

To detect this on your system, you would need to run the ICC profile processing tools with UBSan enabled and monitor for such errors. There are no specific commands provided in the available information.

Mitigation Strategies

The immediate mitigation step is to upgrade the iccDEV libraries and tools to version 2.3.1.6 or later, where this vulnerability has been patched.

Compliance Impact

The vulnerability in iccDEV involves undefined behavior triggered by crafted ICC profiles, leading to potential application crashes or denial of service due to invalid enum values during ICC profile processing.

However, there is no information provided about any impact on confidentiality, integrity, or availability of personal or sensitive data that would directly affect compliance with standards such as GDPR or HIPAA.

Therefore, based on the available information, this vulnerability does not explicitly affect compliance with common standards and regulations like GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34537. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart