CVE-2026-34549
Received Received - Intake
Undefined Behavior in iccDEV ICC Profile Parsing Causes Crash

Publication date: 2026-03-31

Last updated on: 2026-04-20

Assigner: GitHub, Inc.

Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, there is an Undefined Behavior (UB) condition in IccUtil.cpp triggered by a crafted input profile. Under UndefinedBehaviorSanitizer, the issue is reported as invalid left shift operations on icUInt32Number (unsigned 32-bit) where the shifted value β€œcannot be represented” in that type. This issue has been patched in version 2.3.1.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-20
Generated
2026-06-16
AI Q&A
2026-04-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34549
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
color iccdev to 2.3.1.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-758 The product uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, you should upgrade iccDEV to version 2.3.1.6 or later, where the issue has been patched.

Executive Summary

This vulnerability exists in iccDEV, a set of libraries and tools for working with ICC color management profiles. Before version 2.3.1.6, there is an Undefined Behavior condition in the file IccUtil.cpp that can be triggered by a specially crafted input profile.

Specifically, under the UndefinedBehaviorSanitizer, the issue manifests as invalid left shift operations on an unsigned 32-bit integer (icUInt32Number), where the value being shifted cannot be represented within that type. This undefined behavior can cause unpredictable program behavior or crashes.

The vulnerability has been fixed in version 2.3.1.6 of iccDEV.

Impact Analysis

This vulnerability can lead to application crashes or other unpredictable behavior when processing crafted ICC color profiles due to invalid operations on data types.

According to the CVSS score of 6.2 with an attack vector of local (AV:L), an attacker would need local access to exploit this issue.

The impact is primarily on availability (A:H), meaning the vulnerability can cause denial of service or application instability, but it does not affect confidentiality or integrity.

Compliance Impact

The vulnerability in iccDEV involves an undefined behavior condition triggered by crafted input profiles, leading to invalid operations and potential application crashes. However, there is no information provided about any impact on confidentiality, integrity, or availability of personal or sensitive data that would directly affect compliance with standards such as GDPR or HIPAA.

Since the CVE description and available data do not mention any data breach, unauthorized access, or exposure of personal information, it is not possible to determine any direct effect on compliance with common regulations from the provided information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34549. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart