CVE-2026-34539

EUVD-2026-17703

31.03.2026, 22:16

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, a crafted ICC profile and TIFF input can trigger a heap-buffer-overflow (HBO) in CTiffImg::WriteLine(). The issue is observable under AddressSanitizer as an out-of-bounds heap read when running iccSpecSepToTiff on a malicious .icc + .tif pair, leading to a crash during TIFF strip writing. This issue has been patched in version 2.3.1.6.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.2 MEDIUM	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 4%

Affected Products (NVD)

Vendor	Product	Version
color	iccdev	𝑥 < 2.3.1.6

𝑥

= Vulnerable software versions

Known Exploits!

https://github.com/InternationalColorConsortium/iccDEV/issues/672

Common Weakness Enumeration

CWE-122 - Heap-based Buffer Overflow
A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

References

https://github.com/InternationalColorConsortium/iccDEV/issues/672

https://github.com/InternationalColorConsortium/iccDEV/pull/686

https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-4f3j-q8mm-5hr6