{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25634", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-04T05:15:41.790Z", "datePublished": "2026-02-06T20:21:40.108Z", "dateUpdated": "2026-02-06T20:53:17.123Z"}, "containers": {"cna": {"title": "iccDEV memcpy-param-overlap in CIccTagMultiProcessElement::Apply()", "problemTypes": [{"descriptions": [{"cweId": "CWE-119", "lang": "en", "description": "CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-123", "lang": "en", "description": "CWE-123: Write-what-where Condition", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-628", "lang": "en", "description": "CWE-628: Function Call with Incorrectly Specified Arguments", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-682", "lang": "en", "description": "CWE-682: Incorrect Calculation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-35rg-jcmp-583h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-35rg-jcmp-583h"}, {"name": "https://github.com/InternationalColorConsortium/iccDEV/issues/577", "tags": ["x_refsource_MISC"], "url": "https://github.com/InternationalColorConsortium/iccDEV/issues/577"}, {"name": "https://github.com/InternationalColorConsortium/iccDEV/pull/579", "tags": ["x_refsource_MISC"], "url": "https://github.com/InternationalColorConsortium/iccDEV/pull/579"}, {"name": "https://github.com/InternationalColorConsortium/iccDEV/commit/9206e0b8684e4cf4186d9ae768f16760bc1af9ff", "tags": ["x_refsource_MISC"], "url": "https://github.com/InternationalColorConsortium/iccDEV/commit/9206e0b8684e4cf4186d9ae768f16760bc1af9ff"}, {"name": "https://github.com/InternationalColorConsortium/iccDEV/releases/tag/v2.3.1.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/InternationalColorConsortium/iccDEV/releases/tag/v2.3.1.4"}], "affected": [{"vendor": "InternationalColorConsortium", "product": "iccDEV", "versions": [{"version": "< 2.3.1.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-06T20:21:40.108Z"}, "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to 2.3.1.4, SrcPixel and DestPixel stack buffers overlap in CIccTagMultiProcessElement::Apply() int IccTagMPE.cpp. This vulnerability is fixed in 2.3.1.4."}], "source": {"advisory": "GHSA-35rg-jcmp-583h", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-06T20:52:49.613885Z", "id": "CVE-2026-25634", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-06T20:53:17.123Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25634", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-06T20:52:49.613885Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-06T20:53:05.289Z"}}], "cna": {"title": "iccDEV memcpy-param-overlap in CIccTagMultiProcessElement::Apply()", "source": {"advisory": "GHSA-35rg-jcmp-583h", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "InternationalColorConsortium", "product": "iccDEV", "versions": [{"status": "affected", "version": "< 2.3.1.4"}]}], "references": [{"url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-35rg-jcmp-583h", "name": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-35rg-jcmp-583h", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/issues/577", "name": "https://github.com/InternationalColorConsortium/iccDEV/issues/577", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/pull/579", "name": "https://github.com/InternationalColorConsortium/iccDEV/pull/579", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/commit/9206e0b8684e4cf4186d9ae768f16760bc1af9ff", "name": "https://github.com/InternationalColorConsortium/iccDEV/commit/9206e0b8684e4cf4186d9ae768f16760bc1af9ff", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/releases/tag/v2.3.1.4", "name": "https://github.com/InternationalColorConsortium/iccDEV/releases/tag/v2.3.1.4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to 2.3.1.4, SrcPixel and DestPixel stack buffers overlap in CIccTagMultiProcessElement::Apply() int IccTagMPE.cpp. This vulnerability is fixed in 2.3.1.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-119", "description": "CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-123", "description": "CWE-123: Write-what-where Condition"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-628", "description": "CWE-628: Function Call with Incorrectly Specified Arguments"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-682", "description": "CWE-682: Incorrect Calculation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-06T20:21:40.108Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25634", "state": "PUBLISHED", "dateUpdated": "2026-02-06T20:53:17.123Z", "dateReserved": "2026-02-04T05:15:41.790Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-06T20:21:40.108Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*", "matchCriteriaId": "2AA25C48-3EE4-4FEB-9C10-6D32BFABD814", "versionEndExcluding": "2.3.1.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to 2.3.1.4, SrcPixel and DestPixel stack buffers overlap in CIccTagMultiProcessElement::Apply() int IccTagMPE.cpp. This vulnerability is fixed in 2.3.1.4."}], "id": "CVE-2026-25634", "lastModified": "2026-02-19T17:55:29.617", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-06T21:16:18.530", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/InternationalColorConsortium/iccDEV/commit/9206e0b8684e4cf4186d9ae768f16760bc1af9ff"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/InternationalColorConsortium/iccDEV/issues/577"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/InternationalColorConsortium/iccDEV/pull/579"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/InternationalColorConsortium/iccDEV/releases/tag/v2.3.1.4"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-35rg-jcmp-583h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-123"}, {"lang": "en", "value": "CWE-628"}, {"lang": "en", "value": "CWE-682"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T22:27:37.398069+00:00", "value": {"mitigation_remediation": ["Upgrade to iccDEV v2.3.1.4 or later to remove the source of the buffer overlap. ", "Recompile or relink all dependent applications to ensure they link against the updated library. ", "If an upgrade cannot be performed immediately, restrict the loading of ICC profiles from untrusted sources or disable color management features that rely on the vulnerable library functions."], "summary": {"action": "Patch Immediately", "impact": "Potential Memory Overwrite and Arbitrary Code Execution"}, "threat_synthesis": {"affected_systems": "InternationalColorConsortium\u2019s iccDEV library, any version released before 2.3.1.4, is affected. The vulnerability was fixed in release 2.3.1.4 and later.", "description_and_impact": "A buffer overlap in the CIccTagMultiProcessElement::Apply() function causes src and dest stack buffers to interfere, creating an out\u2011of\u2011bounds write that can corrupt memory and potentially allow an attacker to execute arbitrary code or corrupt data managed by the library.", "risk_and_exploitability": "The CVSS score of 7.8 reflects a high severity associated with memory corruption. EPSS indicates a very low exploitation probability (<1%), and the vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation likely requires the attacker to invoke the vulnerable library function within a process that has sufficient privileges, implying a local or application\u2011level attack vector rather than remote exploitation."}}}}, "created": "2026-02-09T10:49:42.001494+00:00", "updated": "2026-04-17T22:30:29.598294+00:00", "vendors": ["internationalcolorconsortium", "internationalcolorconsortium$PRODUCT$iccdev"]}