{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30981", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-07T17:53:48.817Z", "datePublished": "2026-03-10T17:49:31.313Z", "dateUpdated": "2026-03-10T19:32:27.754Z"}, "containers": {"cna": {"title": "iccDEV has a heap-buffer-overflow read in CIccXmlArrayType<>", "problemTypes": [{"descriptions": [{"cweId": "CWE-120", "lang": "en", "description": "CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-125", "lang": "en", "description": "CWE-125: Out-of-bounds Read", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-787", "lang": "en", "description": "CWE-787: Out-of-bounds Write", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-pmcg-2h65-35h8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-pmcg-2h65-35h8"}, {"name": "https://github.com/InternationalColorConsortium/iccDEV/issues/627", "tags": ["x_refsource_MISC"], "url": "https://github.com/InternationalColorConsortium/iccDEV/issues/627"}, {"name": "https://github.com/InternationalColorConsortium/iccDEV/pull/631", "tags": ["x_refsource_MISC"], "url": "https://github.com/InternationalColorConsortium/iccDEV/pull/631"}, {"name": "https://github.com/InternationalColorConsortium/iccDEV/releases/tag/v2.3.1.5", "tags": ["x_refsource_MISC"], "url": "https://github.com/InternationalColorConsortium/iccDEV/releases/tag/v2.3.1.5"}], "affected": [{"vendor": "InternationalColorConsortium", "product": "iccDEV", "versions": [{"version": "< 2.3.1.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T17:49:31.313Z"}, "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a heap-buffer-overflow read in CIccXmlArrayType<>::DumpArray() causing out-of-bounds read and/or crash. This vulnerability is fixed in 2.3.1.5."}], "source": {"advisory": "GHSA-pmcg-2h65-35h8", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30981", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T19:26:24.129490Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T19:32:27.754Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30981", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T19:26:24.129490Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T19:28:04.214Z"}}], "cna": {"title": "iccDEV has a heap-buffer-overflow read in CIccXmlArrayType<>", "source": {"advisory": "GHSA-pmcg-2h65-35h8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "InternationalColorConsortium", "product": "iccDEV", "versions": [{"status": "affected", "version": "< 2.3.1.5"}]}], "references": [{"url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-pmcg-2h65-35h8", "name": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-pmcg-2h65-35h8", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/issues/627", "name": "https://github.com/InternationalColorConsortium/iccDEV/issues/627", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/pull/631", "name": "https://github.com/InternationalColorConsortium/iccDEV/pull/631", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/releases/tag/v2.3.1.5", "name": "https://github.com/InternationalColorConsortium/iccDEV/releases/tag/v2.3.1.5", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a heap-buffer-overflow read in CIccXmlArrayType<>::DumpArray() causing out-of-bounds read and/or crash. This vulnerability is fixed in 2.3.1.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-120", "description": "CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125: Out-of-bounds Read"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787: Out-of-bounds Write"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T17:49:31.313Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30981", "state": "PUBLISHED", "dateUpdated": "2026-03-10T19:32:27.754Z", "dateReserved": "2026-03-07T17:53:48.817Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-10T17:49:31.313Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*", "matchCriteriaId": "93948DB5-220B-49A5-A4BC-B3D19FBCBED5", "versionEndExcluding": "2.3.1.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a heap-buffer-overflow read in CIccXmlArrayType<>::DumpArray() causing out-of-bounds read and/or crash. This vulnerability is fixed in 2.3.1.5."}, {"lang": "es", "value": "iccDEV proporciona un conjunto de bibliotecas y herramientas para trabajar con perfiles de gesti\u00f3n de color ICC. Antes de 2.3.1.5, existe una lectura de desbordamiento de b\u00fafer de pila en CIccXmlArrayType&lt;&gt;::DumpArray() causando lectura fuera de l\u00edmites y/o ca\u00edda. Esta vulnerabilidad est\u00e1 corregida en 2.3.1.5."}], "id": "CVE-2026-30981", "lastModified": "2026-03-13T20:28:34.250", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-10T18:18:57.020", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/InternationalColorConsortium/iccDEV/issues/627"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/InternationalColorConsortium/iccDEV/pull/631"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/InternationalColorConsortium/iccDEV/releases/tag/v2.3.1.5"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-pmcg-2h65-35h8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-120"}, {"lang": "en", "value": "CWE-125"}, {"lang": "en", "value": "CWE-787"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.3.1.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "iccDEV", "source": "cna", "vendor": "InternationalColorConsortium"}, "product": "iccdev", "vendor": "internationalcolorconsortium"}], "analysis": {"en": {"generated_at": "2026-04-16T03:44:25.359774+00:00", "value": {"mitigation_remediation": ["Update iccDEV to version 2.3.1.5 or newer to remove the overread", "If an update cannot be applied immediately, isolate or disable any functionality that invokes CIccXmlArrayType::DumpArray() in the affected applications", "Continue monitoring the International Color Consortium security advisories for additional mitigation guidance"], "summary": {"action": "Apply Latest Patch", "impact": "Out\u2011of\u2011bounds read that may trigger a crash or expose sensitive data"}, "threat_synthesis": {"affected_systems": "All installations of International Color Consortium iccDEV older than version 2.3.1.5 are affected. The vulnerability exists in the core library and any tool that imports or processes ICC XML profiles via this function. Version 2.3.1.5 and later include the fix.", "description_and_impact": "iccDEV libraries contain a heap\u2011buffer\u2011overflow read in the CIccXmlArrayType<>::DumpArray() function, allowing an attacker to read memory beyond the intended buffer. This vulnerable code path can lead to a program crash or the disclosure of non\u2011public information. The issue is classed under CWE\u2011120, CWE\u2011125, and CWE\u2011787, which are all related to heap buffer overreads and related memory corruption weaknesses.", "risk_and_exploitability": "The CVSS score 6.1 categorizes this as a medium severity vulnerability. Exploit probability is low with an EPSS score of less than 1\u202f%. It is not listed in the CISA KEV catalog, indicating no known large\u2011scale exploited instances. Based on the description, the likely attack vector is local or within any process that loads ICC profiles; an attacker would need to supply crafted XML data to trigger the overflow, thus requiring some level of input control."}}}}, "created": "2026-03-11T11:44:37.133710+00:00", "updated": "2026-04-16T03:45:16.022072+00:00", "vendors": ["internationalcolorconsortium", "internationalcolorconsortium$PRODUCT$iccdev"]}