CVE-2026-25503

HIGH

Color Iccdev < 2.3.1.2 - Type Confusion

Title source: rule

Description

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, type confusion allowed malformed ICC profiles to trigger undefined behavior when loading invalid icImageEncodingType values causing denial of service. This issue has been patched in version 2.3.1.2.

References (4)

[Patch, Vendor Advisory] https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-pf84-4c7q-x764

[Exploit, Issue Tracking, Vendor Advisory] https://github.com/InternationalColorConsortium/iccDEV/issues/539

[Issue Tracking] https://github.com/InternationalColorConsortium/iccDEV/pull/547

[Patch] https://github.com/InternationalColorConsortium/iccDEV/commit/353e6517a31cb6ac9fdd44ac0103bc2fadb25175

View Patch ZIP pw:eip

Scores

CVSS v3 7.1

EPSS 0.0005

EPSS Percentile 16.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-704 CWE-843

Status published

Products (1)

color/iccdev < 2.3.1.2

Published Feb 03, 2026

Tracked Since Feb 18, 2026