Login Sign Up

CVE-2026-22046

8.8 HIGH
Denial of Service

📋 TL;DR

A heap-buffer-overflow vulnerability in iccDEV's CIccProfileXml::ParseBasic() function allows attackers to execute arbitrary code or cause denial of service by processing malicious ICC color profiles. This affects all users of iccDEV library versions before 2.3.1.2 who handle ICC profiles. The vulnerability has a high CVSS score of 8.8 due to its potential for remote code execution.

💻 Affected Systems

Products:
  • iccDEV library and any software using iccDEV
Versions: All versions prior to 2.3.1.2
Operating Systems: All platforms where iccDEV is used
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using iccDEV to parse ICC profiles is vulnerable regardless of configuration

📦 What is this software?

Iccdev by Color

View all CVEs affecting Iccdev →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment

🟠

Likely Case

Application crash or denial of service affecting color management functionality

🟢

If Mitigated

Limited impact with proper input validation and memory protections

🌐 Internet-Facing: HIGH - Applications processing user-uploaded ICC profiles are directly exposed
🏢 Internal Only: MEDIUM - Internal applications processing ICC profiles remain vulnerable but with reduced attack surface

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires crafting malicious ICC profiles but no authentication is needed

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.3.1.2

Vendor Advisory: https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-7v4q-mhr2-hj7r

Restart Required: Yes

Instructions:

1. Update iccDEV to version 2.3.1.2 or later. 2. Rebuild any applications using iccDEV. 3. Restart affected services. 4. Test color profile functionality.

🔧 Temporary Workarounds

No known workarounds

all

The vendor advisory states no workarounds are available

🧯 If You Can't Patch

  • Disable ICC profile processing in affected applications
  • Implement strict input validation and sanitization for ICC profile files

🔍 How to Verify

Check if Vulnerable:

Check if your application uses iccDEV library version < 2.3.1.2

Check Version:

Check build configuration or dependency files for iccDEV version

Verify Fix Applied:

Verify iccDEV version is 2.3.1.2 or higher and test with known ICC profiles

📡 Detection & Monitoring

Log Indicators:

  • Application crashes during ICC profile processing
  • Memory access violation errors
  • Unexpected process termination

Network Indicators:

  • Unusual ICC profile uploads to web applications
  • Large or malformed ICC profile transfers

SIEM Query:

Process termination events from applications known to use iccDEV library

📊 Metadata

CVE ID: CVE-2026-22046
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-20
EPSS Score: 0.12% exploit probability (30.4th percentile)
Published: January 7, 2026
Last Updated: January 14, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-22046, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2024-3400 10.0

CVE-2024-3400 is a critical command injection vulnerability in Palo Alto Networks PAN-OS GlobalProte...

Same vulnerability type (CWE-20)
CVE-2023-42802 10.0

This critical vulnerability in GLPI allows attackers to upload malicious PHP files to unauthorized d...

Same vulnerability type (CWE-20)