Primary

Context

Little CMS Heap Buffer Overflow Vulnerability in UnrollChunkyBytes Function

Vulnerability

A heap buffer overflow vulnerability has been identified in Little CMS version 2.16. The issue arises in the UnrollChunkyBytes function within cmspack.c, where insufficient boundary checking allows the function to read more bytes than allocated, leading to memory corruption.

Impact

Exploitation of this vulnerability causes a heap buffer overflow, which can potentially be exploited to execute arbitrary code or cause a denial-of-service condition by crashing the application.

Reproduction

The vulnerability can be reproduced using a proof-of-concept (POC) file named 'Poc-UnrollChunkyBytes.zip', which is available as an attachment on the GitHub issue discussing this vulnerability. After extracting this ZIP file, it can be compiled and run with the Little CMS library to demonstrate the heap buffer overflow. The AddressSanitizer (ASan) tool can be used to detect the memory corruption caused by the vulnerability.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.7

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.7

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Little CMS Heap Buffer Overflow Vulnerability in UnrollChunkyBytes Function

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating