CVE-2026-34550
Undefined Behavior in iccDEV IccProfLib Causes Potential Memory Issues
Publication date: 2026-03-31
Last updated on: 2026-04-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| color | iccdev | to 2.3.1.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-681 | When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in iccDEV, a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, there is an Undefined Behavior condition caused by an implicit conversion from a negative signed integer to an unsigned size_t type. This conversion changes the value unexpectedly, which can lead to unpredictable behavior in the software.
How can this vulnerability impact me? :
The vulnerability can cause undefined behavior in the affected software, which may lead to crashes or other disruptions. According to the CVSS score, the impact is primarily on availability (score 6.2 with an impact on availability high), meaning it could cause denial of service or make the software unavailable.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update iccDEV to version 2.3.1.6 or later, where the issue has been patched.