{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31794", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-09T16:33:42.912Z", "datePublished": "2026-03-10T18:02:54.648Z", "dateUpdated": "2026-03-10T19:32:26.466Z"}, "containers": {"cna": {"title": "iccDEV has a SEGV in CIccCLUT::Interp3d()", "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "lang": "en", "description": "CWE-125: Out-of-bounds Read", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-703", "lang": "en", "description": "CWE-703: Improper Check or Handling of Exceptional Conditions", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-6jrq-wfqg-wv7w", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-6jrq-wfqg-wv7w"}, {"name": "https://github.com/InternationalColorConsortium/iccDEV/issues/645", "tags": ["x_refsource_MISC"], "url": "https://github.com/InternationalColorConsortium/iccDEV/issues/645"}, {"name": "https://github.com/InternationalColorConsortium/iccDEV/pull/653", "tags": ["x_refsource_MISC"], "url": "https://github.com/InternationalColorConsortium/iccDEV/pull/653"}, {"name": "https://github.com/InternationalColorConsortium/iccDEV/releases/tag/v2.3.1.5", "tags": ["x_refsource_MISC"], "url": "https://github.com/InternationalColorConsortium/iccDEV/releases/tag/v2.3.1.5"}], "affected": [{"vendor": "InternationalColorConsortium", "product": "iccDEV", "versions": [{"version": "< 2.3.1.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T18:02:54.648Z"}, "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a segmentation fault from invalid/wild pointer read in CIccCLUT::Interp3d() causing a denial of service. This vulnerability is fixed in 2.3.1.5."}], "source": {"advisory": "GHSA-6jrq-wfqg-wv7w", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31794", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T19:24:25.280645Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T19:32:26.466Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31794", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T19:24:25.280645Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T19:27:45.157Z"}}], "cna": {"title": "iccDEV has a SEGV in CIccCLUT::Interp3d()", "source": {"advisory": "GHSA-6jrq-wfqg-wv7w", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "InternationalColorConsortium", "product": "iccDEV", "versions": [{"status": "affected", "version": "< 2.3.1.5"}]}], "references": [{"url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-6jrq-wfqg-wv7w", "name": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-6jrq-wfqg-wv7w", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/issues/645", "name": "https://github.com/InternationalColorConsortium/iccDEV/issues/645", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/pull/653", "name": "https://github.com/InternationalColorConsortium/iccDEV/pull/653", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/releases/tag/v2.3.1.5", "name": "https://github.com/InternationalColorConsortium/iccDEV/releases/tag/v2.3.1.5", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a segmentation fault from invalid/wild pointer read in CIccCLUT::Interp3d() causing a denial of service. This vulnerability is fixed in 2.3.1.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125: Out-of-bounds Read"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-703", "description": "CWE-703: Improper Check or Handling of Exceptional Conditions"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T18:02:54.648Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31794", "state": "PUBLISHED", "dateUpdated": "2026-03-10T19:32:26.466Z", "dateReserved": "2026-03-09T16:33:42.912Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-10T18:02:54.648Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*", "matchCriteriaId": "93948DB5-220B-49A5-A4BC-B3D19FBCBED5", "versionEndExcluding": "2.3.1.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a segmentation fault from invalid/wild pointer read in CIccCLUT::Interp3d() causing a denial of service. This vulnerability is fixed in 2.3.1.5."}, {"lang": "es", "value": "iccDEV proporciona un conjunto de bibliotecas y herramientas para trabajar con perfiles de gesti\u00f3n de color ICC. Antes de 2.3.1.5, existe un fallo de segmentaci\u00f3n por lectura de puntero inv\u00e1lido/err\u00f3neo en CIccCLUT::Interp3d() que causa una denegaci\u00f3n de servicio. Esta vulnerabilidad est\u00e1 corregida en 2.3.1.5."}], "id": "CVE-2026-31794", "lastModified": "2026-03-13T20:30:38.547", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-10T18:18:59.757", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/InternationalColorConsortium/iccDEV/issues/645"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/InternationalColorConsortium/iccDEV/pull/653"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/InternationalColorConsortium/iccDEV/releases/tag/v2.3.1.5"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-6jrq-wfqg-wv7w"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}, {"lang": "en", "value": "CWE-703"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.3.1.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "iccDEV", "source": "cna", "vendor": "InternationalColorConsortium"}, "product": "iccdev", "vendor": "internationalcolorconsortium"}], "analysis": {"en": {"generated_at": "2026-04-16T03:41:06.065600+00:00", "value": {"mitigation_remediation": ["Upgrade iccDEV to the patched release\u00a02.3.1.5 or later", "If upgrading is not immediately feasible, isolate any applications that load ICC profiles from untrusted data sources to prevent the crash from affecting critical services", "Deploy input validation or runtime checks against malformed ICC profiles to reduce the likelihood of the pointer read occurring, aligning with best practices for handling structured binary data"], "summary": {"action": "Patch Upgrade", "impact": "Denial of Service via Segmentation Fault"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all installations of International Color Consortium\u2019s iccDEV library prior to version\u00a02.3.1.5. Systems that compile or link against iccDEV, such as color management tools or imaging applications that load ICC profiles, are susceptible if they use a version older than the released patch.", "description_and_impact": "ic\u202fcDEV contains a bug in the CIccCLUT::Interp3d() routine that triggers a segmentation fault when a wild or invalid pointer is dereferenced. The resulting crash causes a denial of service by terminating the process that is handling the ICC profile. This flaw is a classic out\u2011of\u2011bounds read (CWE\u2011125) coupled with a use\u2011after\u2011free condition (CWE\u2011703).", "risk_and_exploitability": "The CVSS score of 5.5 places the issue in the medium severity range, and an EPSS score of less than 1% indicates a very low probability of exploitation in the wild. The CVE is not listed in the CISA KEV catalog. The likely attack path involves an attacker supplying a malicious ICC profile that forces the vulnerable library to read an out\u2011of\u2011bounds or freed pointer, leading to a crash. No external access vector is required; exploitation is confined to the local process that loads the profile. While the impact is limited to a denial of service for that process, repeated crashes could degrade system availability, especially in high\u2011throughput or unattended environments.", "sites": []}}}}, "created": "2026-03-11T11:44:07.489867+00:00", "updated": "2026-04-16T03:45:16.018469+00:00", "vendors": ["internationalcolorconsortium", "internationalcolorconsortium$PRODUCT$iccdev"]}