CVE-2026-34547
Undefined Behavior in iccDEV iccDumpProfile via Malicious ICC Profile
Publication date: 2026-03-31
Last updated on: 2026-04-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| color | iccdev | to 2.3.1.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-758 | The product uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in iccDEV, a set of libraries and tools for working with ICC color management profiles. Specifically, prior to version 2.3.1.6, an Undefined Behavior (UB) condition can be triggered in the IccUtil.cpp file by processing a specially crafted ICC profile when running the iccDumpProfile tool.
Undefined Behavior means that the program may behave unpredictably, potentially leading to crashes or other unintended effects.
How can this vulnerability impact me? :
The vulnerability can cause a denial of service by triggering undefined behavior when processing a malicious ICC profile with the iccDumpProfile tool.
According to the CVSS score (6.2), the impact is primarily on availability (A:H), meaning it can disrupt service or cause the application to crash, but it does not affect confidentiality or integrity.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update iccDEV to version 2.3.1.6 or later, where the issue has been patched.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability CVE-2026-34547 causes undefined behavior leading to potential denial of service by crashing the iccDumpProfile tool when processing crafted ICC profiles. It does not impact confidentiality or integrity of data.
Since the vulnerability does not result in unauthorized data access, data leakage, or modification, it does not directly affect compliance with data protection regulations such as GDPR or HIPAA.
However, the denial of service impact on availability could indirectly affect operational continuity requirements under some standards, but no explicit compliance impact is described.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by running the iccDumpProfile tool from the iccDEV package on a crafted, malformed ICC profile that triggers the undefined behavior condition.
A proof-of-concept malformed ICC profile file named 'ub-left-shift-not-type-icUInt32Number-IccUtil_cpp-Line1088.icc' is publicly available and can be used to reproduce the error.
To detect the vulnerability, you can execute the following command with verbose output to observe the undefined behavior or runtime error:
- iccDumpProfile -v ub-left-shift-not-type-icUInt32Number-IccUtil_cpp-Line1088.icc
If the system is vulnerable, this command will trigger a runtime error related to an invalid left shift operation on a 32-bit unsigned integer, which may be detected by tools like UndefinedBehaviorSanitizer if enabled.