Primary

Context

iccDEV Heap-Based Buffer Overflow Vulnerability in CIccPcsXform::pushXYZConvert()

Vulnerability

A heap-based buffer overflow vulnerability has been identified in iccDEV versions prior to 2.3.1.5. The issue occurs in the CIccPcsXform::pushXYZConvert() function, where improper validation of matrix sizes leads to a heap out-of-bounds read. This flaw can cause a crash and potentially leak memory contents.

Impact

Exploitation of this vulnerability causes a heap-buffer-overflow, leading to a crash and potential memory leakage.

Reproduction

The vulnerability can be reproduced by using a crafted ICC profile that exploits the improper matrix size handling in the CIccPcsXform::pushXYZConvert() function. This can be done using the 'iccApplyNamedCmm' tool included in the iccDEV package, by specifying the malformed ICC profile as input.

Remediation

Users can update to iccDEV version 2.3.1.5 or later, where this vulnerability has been fixed. The latest version can be installed via package managers such as Homebrew, NPM, or Docker.

Added: Mar 10, 2026, 7:03 PM

Updated: Mar 10, 2026, 7:03 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.1

exploitability

7.5

remediation

0.0

relevance

3.7

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.1

exploitability

7.5

remediation

0.0

relevance

3.7

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

iccDEV Heap-Based Buffer Overflow Vulnerability in CIccPcsXform::pushXYZConvert()

Vulnerability

Impact

Reproduction

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating