CVE-2026-34542
Stack Buffer Overflow in iccDEV ICC Profile Processing
Publication date: 2026-03-31
Last updated on: 2026-04-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| color | iccdev | to 2.3.1.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in iccDEV, a set of libraries and tools for working with ICC color management profiles. Before version 2.3.1.6, a specially crafted ICC profile can cause a stack-buffer-overflow (SBO) in the function CIccCalculatorFunc::Apply() when processed using iccApplyNamedCmm. Specifically, this overflow occurs as a 4-byte write beyond the stack buffer in the IccProfLib/IccMpeCalc.cpp file at line 3873, triggered through the MPE calculator or curve set initialization path. The issue has been fixed in version 2.3.1.6.
How can this vulnerability impact me? :
The vulnerability can lead to a stack-buffer-overflow, which may cause a program crash or potentially allow an attacker to execute arbitrary code or disrupt the normal operation of the software. Since the CVSS score rates the impact on availability as high (A:H) but no impact on confidentiality or integrity, the primary risk is denial of service or application instability when processing malicious ICC profiles.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability has been patched in iccDEV version 2.3.1.6. To mitigate this vulnerability, you should upgrade your iccDEV libraries and tools to version 2.3.1.6 or later.