CVE-2026-34554
Heap Buffer Overflow in iccApplySearch Tool via Malformed JSON
Publication date: 2026-03-31
Last updated on: 2026-04-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| color | iccdev | to 2.3.1.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a heap-buffer-overflow (HBO) in the iccDEV library, specifically in the function CIccApplyCmmSearch::costFunc(). It can be triggered by providing malformed JSON configuration input to the iccApplySearch tool. The issue causes an out-of-bounds read of size 8, which means the program reads memory outside the allocated buffer, potentially leading to crashes or other unexpected behavior.
How can this vulnerability impact me? :
The impact of this vulnerability is primarily availability-related. Since it involves a heap-buffer-overflow triggered by malformed input, it can cause the affected application to crash or behave unpredictably. According to the CVSS score, it has a high impact on availability but does not affect confidentiality or integrity.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability has been patched in iccDEV version 2.3.1.6. To mitigate this vulnerability, you should update your iccDEV iccproflib to version 2.3.1.6 or later.