CVE-2026-34549
Undefined Behavior in iccDEV ICC Profile Parsing Causes Crash
Publication date: 2026-03-31
Last updated on: 2026-04-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| color | iccdev | to 2.3.1.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-758 | The product uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade iccDEV to version 2.3.1.6 or later, where the issue has been patched.
Can you explain this vulnerability to me?
This vulnerability exists in iccDEV, a set of libraries and tools for working with ICC color management profiles. Before version 2.3.1.6, there is an Undefined Behavior condition in the file IccUtil.cpp that can be triggered by a specially crafted input profile.
Specifically, under the UndefinedBehaviorSanitizer, the issue manifests as invalid left shift operations on an unsigned 32-bit integer (icUInt32Number), where the value being shifted cannot be represented within that type. This undefined behavior can cause unpredictable program behavior or crashes.
The vulnerability has been fixed in version 2.3.1.6 of iccDEV.
How can this vulnerability impact me? :
This vulnerability can lead to application crashes or other unpredictable behavior when processing crafted ICC color profiles due to invalid operations on data types.
According to the CVSS score of 6.2 with an attack vector of local (AV:L), an attacker would need local access to exploit this issue.
The impact is primarily on availability (A:H), meaning the vulnerability can cause denial of service or application instability, but it does not affect confidentiality or integrity.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in iccDEV involves an undefined behavior condition triggered by crafted input profiles, leading to invalid operations and potential application crashes. However, there is no information provided about any impact on confidentiality, integrity, or availability of personal or sensitive data that would directly affect compliance with standards such as GDPR or HIPAA.
Since the CVE description and available data do not mention any data breach, unauthorized access, or exposure of personal information, it is not possible to determine any direct effect on compliance with common regulations from the provided information.