{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31797", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-09T16:33:42.912Z", "datePublished": "2026-03-10T18:06:12.920Z", "dateUpdated": "2026-03-10T19:32:25.965Z"}, "containers": {"cna": {"title": "iccDEV has a heap out-of-bounds read in CTiffImg::ReadLine()", "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "lang": "en", "description": "CWE-125: Out-of-bounds Read", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-787", "lang": "en", "description": "CWE-787: Out-of-bounds Write", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-wh2p-cm3r-7hm3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-wh2p-cm3r-7hm3"}, {"name": "https://github.com/InternationalColorConsortium/iccDEV/issues/656", "tags": ["x_refsource_MISC"], "url": "https://github.com/InternationalColorConsortium/iccDEV/issues/656"}, {"name": "https://github.com/InternationalColorConsortium/iccDEV/pull/659", "tags": ["x_refsource_MISC"], "url": "https://github.com/InternationalColorConsortium/iccDEV/pull/659"}, {"name": "https://github.com/InternationalColorConsortium/iccDEV/releases/tag/v2.3.1.5", "tags": ["x_refsource_MISC"], "url": "https://github.com/InternationalColorConsortium/iccDEV/releases/tag/v2.3.1.5"}], "affected": [{"vendor": "InternationalColorConsortium", "product": "iccDEV", "versions": [{"version": "< 2.3.1.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T18:06:12.920Z"}, "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a heap out-of-bounds read in CTiffImg::ReadLine() when iccApplyProfiles processes a crafted TIFF image, causing memory disclosure or crash. This vulnerability is fixed in 2.3.1.5."}], "source": {"advisory": "GHSA-wh2p-cm3r-7hm3", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31797", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T19:25:46.282183Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T19:32:25.965Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31797", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T19:25:46.282183Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T19:27:36.861Z"}}], "cna": {"title": "iccDEV has a heap out-of-bounds read in CTiffImg::ReadLine()", "source": {"advisory": "GHSA-wh2p-cm3r-7hm3", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "InternationalColorConsortium", "product": "iccDEV", "versions": [{"status": "affected", "version": "< 2.3.1.5"}]}], "references": [{"url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-wh2p-cm3r-7hm3", "name": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-wh2p-cm3r-7hm3", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/issues/656", "name": "https://github.com/InternationalColorConsortium/iccDEV/issues/656", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/pull/659", "name": "https://github.com/InternationalColorConsortium/iccDEV/pull/659", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/releases/tag/v2.3.1.5", "name": "https://github.com/InternationalColorConsortium/iccDEV/releases/tag/v2.3.1.5", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a heap out-of-bounds read in CTiffImg::ReadLine() when iccApplyProfiles processes a crafted TIFF image, causing memory disclosure or crash. This vulnerability is fixed in 2.3.1.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125: Out-of-bounds Read"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787: Out-of-bounds Write"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-10T18:06:12.920Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31797", "state": "PUBLISHED", "dateUpdated": "2026-03-10T19:32:25.965Z", "dateReserved": "2026-03-09T16:33:42.912Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-10T18:06:12.920Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*", "matchCriteriaId": "93948DB5-220B-49A5-A4BC-B3D19FBCBED5", "versionEndExcluding": "2.3.1.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a heap out-of-bounds read in CTiffImg::ReadLine() when iccApplyProfiles processes a crafted TIFF image, causing memory disclosure or crash. This vulnerability is fixed in 2.3.1.5."}, {"lang": "es", "value": "iccDEV proporciona un conjunto de bibliotecas y herramientas para trabajar con perfiles de gesti\u00f3n de color ICC. Antes de 2.3.1.5, existe una lectura fuera de l\u00edmites en el heap en CTiffImg::ReadLine() cuando iccApplyProfiles procesa una imagen TIFF manipulada, causando divulgaci\u00f3n de memoria o un fallo. Esta vulnerabilidad est\u00e1 corregida en 2.3.1.5."}], "id": "CVE-2026-31797", "lastModified": "2026-03-13T19:30:09.473", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-10T18:19:00.347", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/InternationalColorConsortium/iccDEV/issues/656"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/InternationalColorConsortium/iccDEV/pull/659"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/InternationalColorConsortium/iccDEV/releases/tag/v2.3.1.5"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-wh2p-cm3r-7hm3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}, {"lang": "en", "value": "CWE-787"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.3.1.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "iccDEV", "source": "cna", "vendor": "InternationalColorConsortium"}, "product": "iccdev", "vendor": "internationalcolorconsortium"}], "analysis": {"en": {"generated_at": "2026-04-16T03:39:56.992381+00:00", "value": {"mitigation_remediation": ["Upgrade iccDEV to version 2.3.1.5 or later from the InternationalColorConsortium release repository.", "If an upgrade cannot be performed immediately, limit the processing of TIFF files to trusted sources only, or run the image handling code in a sandboxed environment.", "Consider monitoring the application for crash events or abnormal memory reads, and enforce strict file size or type validation to reduce the risk of exploitation."], "summary": {"action": "Apply Patch", "impact": "Memory Disclosure"}, "threat_synthesis": {"affected_systems": "The affected product is InternationalColorConsortium\u2019s iccDEV library. Versions earlier than 2.3.1.5 are vulnerable. The security fix is delivered in release 2.3.1.5.", "description_and_impact": "This vulnerability is a heap out\u2011of\u2011bounds read in CTiffImg::ReadLine() within the iccApplyProfiles function of the iccDEV library. The flaw, classified as CWE\u2011125 and CWE\u2011787, allows a crafted TIFF image to cause either a memory disclosure or a crash. The vulnerability is local in nature and can potentially expose sensitive data residing on the system\u2019s memory space when the library processes malicious image data.", "risk_and_exploitability": "The CVSS score of 6.1 indicates a medium severity impact. EPSS scoring below 1\u202f% signals a very low probability of exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog, suggesting there are no known widespread attacks. Attackers would need to supply a malicious TIFF image to a process using iccDEV, which is typically local to the application. Successful exploitation could result in the disclosure of sensitive memory contents or an application crash, potentially leading to denial of service on the host system."}}}}, "created": "2026-03-11T11:44:03.258576+00:00", "updated": "2026-04-16T03:45:16.018021+00:00", "vendors": ["internationalcolorconsortium", "internationalcolorconsortium$PRODUCT$iccdev"]}