CVE-2026-34539
Received Received - Intake
Heap Buffer Overflow in iccDEV TIFF Writing Causes Crash

Publication date: 2026-03-31

Last updated on: 2026-04-20

Assigner: GitHub, Inc.

Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, a crafted ICC profile and TIFF input can trigger a heap-buffer-overflow (HBO) in CTiffImg::WriteLine(). The issue is observable under AddressSanitizer as an out-of-bounds heap read when running iccSpecSepToTiff on a malicious .icc + .tif pair, leading to a crash during TIFF strip writing. This issue has been patched in version 2.3.1.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-20
Generated
2026-06-16
AI Q&A
2026-04-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34539
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
color iccdev to 2.3.1.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in iccDEV, a set of libraries and tools for working with ICC color management profiles. Before version 2.3.1.6, a specially crafted ICC profile combined with a TIFF input file can cause a heap-buffer-overflow in the function CTiffImg::WriteLine(). This results in an out-of-bounds heap read detected by AddressSanitizer when running the iccSpecSepToTiff tool on the malicious files, causing the program to crash during TIFF strip writing.

Detection Guidance

This vulnerability can be detected by running the iccSpecSepToTiff tool on a crafted malicious .icc and .tif file pair. When the vulnerability is triggered, it causes a heap-buffer-overflow leading to a crash during TIFF strip writing. Using AddressSanitizer can help observe the out-of-bounds heap read.

A suggested approach is to test suspicious ICC profile and TIFF input files with the iccSpecSepToTiff tool under AddressSanitizer to detect crashes or memory errors.

Mitigation Strategies

The immediate mitigation step is to upgrade iccDEV to version 2.3.1.6 or later, where this heap-buffer-overflow vulnerability has been patched.

Compliance Impact

The vulnerability described is a heap-buffer-overflow in iccDEV prior to version 2.3.1.6, which can cause a crash during TIFF strip writing. The CVE details indicate that the impact is on availability (denial of service) with no confidentiality or integrity impact.

Since the vulnerability does not affect confidentiality or integrity of data, it is unlikely to directly impact compliance with data protection regulations such as GDPR or HIPAA, which primarily focus on protecting personal data privacy and integrity.

However, the availability impact (crash) could indirectly affect operational continuity, which may be relevant under some regulatory frameworks that require system availability and reliability.

Impact Analysis

The vulnerability can cause a crash of the affected application when processing malicious ICC and TIFF files, leading to a denial of service. Since the CVSS score indicates no impact on confidentiality or integrity but a high impact on availability, the main risk is that an attacker could disrupt services or applications relying on iccDEV by triggering this heap-buffer-overflow.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34539. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart