{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22255", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-07T05:19:12.922Z", "datePublished": "2026-01-08T15:29:36.742Z", "dateUpdated": "2026-01-08T15:54:58.115Z"}, "containers": {"cna": {"title": "iccDEV has heap-buffer-overflow in CIccCLUT::Init() at IccProfLib/IccTagLut.cpp", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-130", "lang": "en", "description": "CWE-130: Improper Handling of Length Parameter Inconsistency", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-252", "lang": "en", "description": "CWE-252: Unchecked Return Value", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-qv2w-mq3g-73gv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-qv2w-mq3g-73gv"}, {"name": "https://github.com/InternationalColorConsortium/iccDEV/issues/466", "tags": ["x_refsource_MISC"], "url": "https://github.com/InternationalColorConsortium/iccDEV/issues/466"}, {"name": "https://github.com/InternationalColorConsortium/iccDEV/pull/469", "tags": ["x_refsource_MISC"], "url": "https://github.com/InternationalColorConsortium/iccDEV/pull/469"}], "affected": [{"vendor": "InternationalColorConsortium", "product": "iccDEV", "versions": [{"version": "< 2.3.1.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-08T15:29:36.742Z"}, "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a heap-buffer-overflow vulnerability in `CIccCLUT::Init()` at `IccProfLib/IccTagLut.cpp`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available."}], "source": {"advisory": "GHSA-qv2w-mq3g-73gv", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-08T15:53:03.563267Z", "id": "CVE-2026-22255", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-08T15:54:58.115Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22255", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-08T15:53:03.563267Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-08T15:54:29.623Z"}}], "cna": {"title": "iccDEV has heap-buffer-overflow in CIccCLUT::Init() at IccProfLib/IccTagLut.cpp", "source": {"advisory": "GHSA-qv2w-mq3g-73gv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "InternationalColorConsortium", "product": "iccDEV", "versions": [{"status": "affected", "version": "< 2.3.1.2"}]}], "references": [{"url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-qv2w-mq3g-73gv", "name": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-qv2w-mq3g-73gv", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/issues/466", "name": "https://github.com/InternationalColorConsortium/iccDEV/issues/466", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/pull/469", "name": "https://github.com/InternationalColorConsortium/iccDEV/pull/469", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a heap-buffer-overflow vulnerability in `CIccCLUT::Init()` at `IccProfLib/IccTagLut.cpp`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-130", "description": "CWE-130: Improper Handling of Length Parameter Inconsistency"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-252", "description": "CWE-252: Unchecked Return Value"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-08T15:29:36.742Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22255", "state": "PUBLISHED", "dateUpdated": "2026-01-08T15:54:58.115Z", "dateReserved": "2026-01-07T05:19:12.922Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-08T15:29:36.742Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*", "matchCriteriaId": "D34CF745-E75A-4F1C-AD7B-9AC1A2E9F680", "versionEndExcluding": "2.3.1.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a heap-buffer-overflow vulnerability in `CIccCLUT::Init()` at `IccProfLib/IccTagLut.cpp`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available."}], "id": "CVE-2026-22255", "lastModified": "2026-01-14T18:48:22.507", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-08T16:16:03.110", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/InternationalColorConsortium/iccDEV/issues/466"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/InternationalColorConsortium/iccDEV/pull/469"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-qv2w-mq3g-73gv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-130"}, {"lang": "en", "value": "CWE-252"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T07:38:10.809582+00:00", "value": {"mitigation_remediation": ["Apply the official update to iccDEV version 2.3.1.2 or later from the International Color Consortium repository or distribution channels.", "Recompile and redeploy any applications or services that link against iccDEV to ensure the patched library is in use.", "Limit the processing of ICC profiles to trusted sources, validate profile integrity before loading, and consider sandboxing or disabling profile handling in environments where immediate patching is not feasible."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "InternationalColorConsortium:iccDEV libraries that process ICC color profiles are affected. All releases earlier than version 2.3.1.2 are vulnerable. The patch is included in iccDEV 2.3.1.2 and later, so any installation using those earlier versions must be considered compromised until updated.", "description_and_impact": "The vulnerability is a heap\u2011buffer\u2011overflow located in the CIccCLUT::Init() function of the iccDEV library (IccProfLib/IccTagLut.cpp). When a malformed ICC profile is parsed, the library can write beyond the bounds of a heap buffer, corrupting adjacent memory. This corruption can be leveraged by an attacker to execute arbitrary code or crash the application, violating confidentiality, integrity, and availability of the host system.", "risk_and_exploitability": "The CVSS score of 8.8 indicates a high severity. The EPSS score is less than 1% and the vulnerability is not listed in the CISA KEV catalog, suggesting a low likelihood of immediate exploitation in the wild. However, the attack requires the delivery of a crafted ICC profile to an application that uses iccDEV, which is common in many imaging, printing, and publishing workflows. Because the flaw is a classic heap overflow, it carries the potential for arbitrary code execution once triggered."}}}}, "created": "2026-01-09T13:24:45.815933+00:00", "updated": "2026-04-18T07:45:24.979322+00:00", "vendors": ["internationalcolorconsortium", "internationalcolorconsortium$PRODUCT$iccdev"]}