{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34553", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T16:31:39.264Z", "datePublished": "2026-03-31T22:17:30.597Z", "dateUpdated": "2026-04-03T16:42:40.873Z"}, "containers": {"cna": {"title": "iccDEV: DoS in CIccCLUT::Iterate() & CIccMBB::Describe()", "problemTypes": [{"descriptions": [{"cweId": "CWE-562", "lang": "en", "description": "CWE-562: Return of Stack Variable Address", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-665", "lang": "en", "description": "CWE-665: Improper Initialization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-5r4q-77w5-3q3h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-5r4q-77w5-3q3h"}, {"name": "https://github.com/InternationalColorConsortium/iccDEV/issues/704", "tags": ["x_refsource_MISC"], "url": "https://github.com/InternationalColorConsortium/iccDEV/issues/704"}, {"name": "https://github.com/InternationalColorConsortium/iccDEV/pull/737", "tags": ["x_refsource_MISC"], "url": "https://github.com/InternationalColorConsortium/iccDEV/pull/737"}], "affected": [{"vendor": "InternationalColorConsortium", "product": "iccDEV", "versions": [{"version": "< 2.3.1.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T22:17:30.597Z"}, "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, there is a defect in LUT dump/iteration logic affecting CIccCLUT::Iterate() and output produced by CIccMBB::Describe() (via CLUT dumping). This issue has been patched in version 2.3.1.6."}], "source": {"advisory": "GHSA-5r4q-77w5-3q3h", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T16:42:28.325586Z", "id": "CVE-2026-34553", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T16:42:40.873Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34553", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-03T16:42:28.325586Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T16:42:36.440Z"}}], "cna": {"title": "iccDEV: DoS in CIccCLUT::Iterate() & CIccMBB::Describe()", "source": {"advisory": "GHSA-5r4q-77w5-3q3h", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "InternationalColorConsortium", "product": "iccDEV", "versions": [{"status": "affected", "version": "< 2.3.1.6"}]}], "references": [{"url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-5r4q-77w5-3q3h", "name": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-5r4q-77w5-3q3h", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/issues/704", "name": "https://github.com/InternationalColorConsortium/iccDEV/issues/704", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/pull/737", "name": "https://github.com/InternationalColorConsortium/iccDEV/pull/737", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, there is a defect in LUT dump/iteration logic affecting CIccCLUT::Iterate() and output produced by CIccMBB::Describe() (via CLUT dumping). This issue has been patched in version 2.3.1.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-562", "description": "CWE-562: Return of Stack Variable Address"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-665", "description": "CWE-665: Improper Initialization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T22:17:30.597Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34553", "state": "PUBLISHED", "dateUpdated": "2026-04-03T16:42:40.873Z", "dateReserved": "2026-03-30T16:31:39.264Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-31T22:17:30.597Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*", "matchCriteriaId": "DE133F29-9592-4669-8B76-9F7C88EFE17D", "versionEndExcluding": "2.3.1.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, there is a defect in LUT dump/iteration logic affecting CIccCLUT::Iterate() and output produced by CIccMBB::Describe() (via CLUT dumping). This issue has been patched in version 2.3.1.6."}, {"lang": "es", "value": "iccDEV proporciona un conjunto de bibliotecas y herramientas para trabajar con perfiles de gesti\u00f3n de color ICC. Antes de la versi\u00f3n 2.3.1.6, existe un defecto en la l\u00f3gica de volcado/iteraci\u00f3n de LUT que afecta a CIccCLUT::Iterate() y a la salida producida por CIccMBB::Describe() (mediante el volcado de CLUT). Este problema ha sido parcheado en la versi\u00f3n 2.3.1.6."}], "id": "CVE-2026-34553", "lastModified": "2026-04-20T14:36:32.003", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-31T23:17:10.460", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Exploit", "Patch"], "url": "https://github.com/InternationalColorConsortium/iccDEV/issues/704"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/InternationalColorConsortium/iccDEV/pull/737"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-5r4q-77w5-3q3h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-562"}, {"lang": "en", "value": "CWE-665"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.3.1.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "iccDEV", "source": "cna", "vendor": "InternationalColorConsortium"}, "product": "iccdev", "vendor": "internationalcolorconsortium"}], "analysis": {"en": {"generated_at": "2026-04-01T06:34:00.900339+00:00", "value": {"mitigation_remediation": ["Upgrade iccDEV to version 2.3.1.6 or later", "Rebuild or update dependent applications to reference the patched library", "If an upgrade cannot be performed immediately, restrict usage of CLUT dumping or CIccMBB::Describe() to trusted inputs only", "Monitor application logs for repeated failures or resource exhaustion that may indicate exploitation attempts"], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "International Color Consortium\u2019s iccDEV library in all versions prior to 2.3.1.6. The affected code resides in the CIccCLUT::Iterate() function and the CLUT dumping path of CIccMBB::Describe(). Any system that loads or processes ICC profiles with a vulnerable version of iccDEV is at risk.", "description_and_impact": "The defect in iccDEV\u2019s CIccCLUT::Iterate() and the CLUT dumping logic used by CIccMBB::Describe() can cause the library to consume excessive resources or crash, leading to a denial of service. This vulnerability is classified under CWE\u2011562 and CWE\u2011665, indicating issues with resource management and buffer handling. The impact is a loss of availability for any application that processes ICC profiles using these functions.", "risk_and_exploitability": "The CVSS score of 4.0 indicates a medium to low severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local or remote, depending on how the application uses iccDEV; an attacker could trigger the DoS by supplying crafted ICC profile data that exercises the vulnerable logic. Because exploitation requires the library to be loaded and the specific code path to be invoked, the overall risk remains moderate. Prompt remediation is still recommended due to the availability impact."}}}}, "created": "2026-04-02T07:51:43.773329+00:00", "updated": "2026-04-02T20:10:03.591869+00:00", "vendors": ["internationalcolorconsortium", "internationalcolorconsortium$PRODUCT$iccdev"]}