{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34550", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T16:31:39.264Z", "datePublished": "2026-03-31T22:12:29.295Z", "dateUpdated": "2026-04-01T15:52:34.312Z"}, "containers": {"cna": {"title": "iccDEV: UB at IccIO.cpp", "problemTypes": [{"descriptions": [{"cweId": "CWE-681", "lang": "en", "description": "CWE-681: Incorrect Conversion between Numeric Types", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-rmxp-pxf4-p7wm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-rmxp-pxf4-p7wm"}, {"name": "https://github.com/InternationalColorConsortium/iccDEV/issues/718", "tags": ["x_refsource_MISC"], "url": "https://github.com/InternationalColorConsortium/iccDEV/issues/718"}, {"name": "https://github.com/InternationalColorConsortium/iccDEV/pull/727", "tags": ["x_refsource_MISC"], "url": "https://github.com/InternationalColorConsortium/iccDEV/pull/727"}], "affected": [{"vendor": "InternationalColorConsortium", "product": "iccDEV", "versions": [{"version": "< 2.3.1.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T22:12:29.295Z"}, "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, there is an Undefined Behavior (UB) condition in IccProfLib/IccIO.cpp caused by an implicit conversion from a negative signed integer to size_t (unsigned), which changes the value. This issue has been patched in version 2.3.1.6."}], "source": {"advisory": "GHSA-rmxp-pxf4-p7wm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T15:24:30.741063Z", "id": "CVE-2026-34550", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T15:52:34.312Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*", "matchCriteriaId": "DE133F29-9592-4669-8B76-9F7C88EFE17D", "versionEndExcluding": "2.3.1.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, there is an Undefined Behavior (UB) condition in IccProfLib/IccIO.cpp caused by an implicit conversion from a negative signed integer to size_t (unsigned), which changes the value. This issue has been patched in version 2.3.1.6."}, {"lang": "es", "value": "iccDEV proporciona un conjunto de bibliotecas y herramientas para trabajar con perfiles de gesti\u00f3n de color ICC. Antes de la versi\u00f3n 2.3.1.6, existe una condici\u00f3n de Comportamiento Indefinido (UB) en IccProfLib/IccIO.cpp causada por una conversi\u00f3n impl\u00edcita de un entero con signo negativo a size_t (sin signo), lo que cambia el valor. Este problema ha sido parcheado en la versi\u00f3n 2.3.1.6."}], "id": "CVE-2026-34550", "lastModified": "2026-04-20T14:33:21.363", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-31T23:17:09.933", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Exploit"], "url": "https://github.com/InternationalColorConsortium/iccDEV/issues/718"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/InternationalColorConsortium/iccDEV/pull/727"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-rmxp-pxf4-p7wm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-681"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.3.1.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "iccDEV", "source": "cna", "vendor": "InternationalColorConsortium"}, "product": "iccdev", "vendor": "internationalcolorconsortium"}], "analysis": {"en": {"generated_at": "2026-04-01T06:35:01.407991+00:00", "value": {"mitigation_remediation": ["Upgrade iccDEV to version 2.3.1.6 or later", "Verify that all system components load the updated library", "If an upgrade is not possible, prevent or isolate usage of the vulnerable library until the patch is applied"], "summary": {"action": "Apply Patch", "impact": "Undefined behavior due to an implicit signed to unsigned conversion that can lead to program crashes or data corruption"}, "threat_synthesis": {"affected_systems": "International Color Consortium\u2019s iccDEV libraries and tools are impacted in all releases prior to version 2.3.1.6. Version 2.3.1.6 and later incorporate a fix that removes the problematic conversion, thereby eliminating the undefined behavior. Any deployment using older versions of iccDEV must be reviewed to confirm whether the vulnerable code path is exercised.", "description_and_impact": "The vulnerability in iccDEV\u2019s IccIO.cpp arises from an implicit cast of a negative signed integer to an unsigned size_t, resulting in undefined behavior as classified by CWE-681. This can cause the library to miscalculate buffer sizes or indices, potentially leading to memory corruption, crashes, or unintended logic during ICC profile processing. The primary consequence is the compromise of program stability and data integrity when the library is used.", "risk_and_exploitability": "With a CVSS score of 6.2, the flaw represents moderate severity. No EPSS score is provided and the vulnerability is not listed in CISA\u2019s KEV catalog, indicating limited known exploitation. The likely attack vector is inferred from the description: any process that loads and processes ICC profiles through the affected library may trigger the behavior. Because the issue stems from internal code logic rather than external input, exploitation requires the library to run within the application context. Nevertheless, the risk is non\u2011negligible for applications that rely on iccDEV, so remediation is recommended to avoid potential instability or data corruption."}}}}, "created": "2026-04-02T07:51:47.441181+00:00", "updated": "2026-04-02T20:10:07.516197+00:00", "vendors": ["internationalcolorconsortium", "internationalcolorconsortium$PRODUCT$iccdev"]}