CVE-2026-34539
Heap Buffer Overflow in iccDEV TIFF Writing Causes Crash
Publication date: 2026-03-31
Last updated on: 2026-04-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| color | iccdev | to 2.3.1.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in iccDEV, a set of libraries and tools for working with ICC color management profiles. Before version 2.3.1.6, a specially crafted ICC profile combined with a TIFF input file can cause a heap-buffer-overflow in the function CTiffImg::WriteLine(). This results in an out-of-bounds heap read detected by AddressSanitizer when running the iccSpecSepToTiff tool on the malicious files, causing the program to crash during TIFF strip writing.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by running the iccSpecSepToTiff tool on a crafted malicious .icc and .tif file pair. When the vulnerability is triggered, it causes a heap-buffer-overflow leading to a crash during TIFF strip writing. Using AddressSanitizer can help observe the out-of-bounds heap read.
A suggested approach is to test suspicious ICC profile and TIFF input files with the iccSpecSepToTiff tool under AddressSanitizer to detect crashes or memory errors.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade iccDEV to version 2.3.1.6 or later, where this heap-buffer-overflow vulnerability has been patched.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability described is a heap-buffer-overflow in iccDEV prior to version 2.3.1.6, which can cause a crash during TIFF strip writing. The CVE details indicate that the impact is on availability (denial of service) with no confidentiality or integrity impact.
Since the vulnerability does not affect confidentiality or integrity of data, it is unlikely to directly impact compliance with data protection regulations such as GDPR or HIPAA, which primarily focus on protecting personal data privacy and integrity.
However, the availability impact (crash) could indirectly affect operational continuity, which may be relevant under some regulatory frameworks that require system availability and reliability.
How can this vulnerability impact me? :
The vulnerability can cause a crash of the affected application when processing malicious ICC and TIFF files, leading to a denial of service. Since the CVSS score indicates no impact on confidentiality or integrity but a high impact on availability, the main risk is that an attacker could disrupt services or applications relying on iccDEV by triggering this heap-buffer-overflow.