CVE-2026-25503

HIGH

Color Iccdev < 2.3.1.2 - Type Confusion

Title source: rule

Description

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, type confusion allowed malformed ICC profiles to trigger undefined behavior when loading invalid icImageEncodingType values causing denial of service. This issue has been patched in version 2.3.1.2.

References (4)

[Patch] https://github.com/InternationalColorConsortium/iccDEV/commit/353e6517a31cb6ac9fdd44ac0103bc2fadb25175

View Patch ZIP pw:eip

[Exploit, Issue Tracking, Vendor Advisory] https://github.com/InternationalColorConsortium/iccDEV/issues/539

[Issue Tracking] https://github.com/InternationalColorConsortium/iccDEV/pull/547

[Patch, Vendor Advisory] https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-pf84-4c7q-x764

Scores

CVSS v3 7.1

EPSS 0.0004

EPSS Percentile 13.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H

Classification

CWE

CWE-704 CWE-843

Status published

Affected Products (1)

color/iccdev < 2.3.1.2

Timeline

Published Feb 03, 2026

Tracked Since Feb 18, 2026