CVE-2026-25502

HighPublic PoC

Published: 03 February 2026

Published

03 February 2026

Modified

10 February 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0002 4.6th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25502 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Color Iccdev. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 4.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the stack-based buffer overflow by requiring timely patching of iccDEV to version 2.3.1.2 or later.

SI-16 Memory Protection good match

prevent

Provides memory protections such as stack canaries, ASLR, and DEP to block arbitrary code execution even if the buffer overflow occurs.

SI-10 Information Input Validation partial match

prevent

Enforces validation of ICC profile inputs, including NamedColor2 tags, to block malformed data from reaching the vulnerable icFixXml function.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

T1566.001 Spearphishing Attachment Initial Access

Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems.

attack.mitre.org →

Why these techniques?

Stack buffer overflow in ICC profile parser enables arbitrary code execution on local file open (T1204.002); commonly delivered via spearphishing attachment (T1566.001) or other client-side exploitation (T1203).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, stack-based buffer overflow in icFixXml() function when processing malformed ICC profiles, allows potential arbitrary code…

execution through crafted NamedColor2 tags. This issue has been patched in version 2.3.1.2.

Deeper analysisAI

CVE-2026-25502 is a stack-based buffer overflow vulnerability in the icFixXml() function within iccDEV, a set of libraries and tools designed for interacting with, manipulating, and applying ICC color management profiles. The issue affects versions of iccDEV prior to 2.3.1.2 and is triggered when processing malformed ICC profiles containing crafted NamedColor2 tags, potentially enabling arbitrary code execution. It is associated with CWEs-121 and CWE-787.

Exploitation requires local access (AV:L) with low attack complexity (AC:L) and no privileges (PR:N), but depends on user interaction (UI:R), such as processing a malicious ICC profile file. A successful attack results in high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) with no scope change (S:U), earning a CVSS v3.1 base score of 7.8.

The vulnerability has been patched in iccDEV version 2.3.1.2. Mitigation details are documented in the project's GitHub security advisory (GHSA-c2qq-jf7w-rm27), issue #537, pull request #545, and the fixing commit be5d7ec5cc137c084c08006aee8cd3ed378c7ac2. Security practitioners should upgrade to the patched version to address the flaw.

Details

CWE(s): CWE-121 CWE-787

Affected Products

color

iccdev

≤ 2.3.1.2

CVEs Like This One

CVE-2026-30987Same product: Color Iccdev

CVE-2026-31795Same product: Color Iccdev

CVE-2026-30983Same product: Color Iccdev

CVE-2026-25584Same product: Color Iccdev

CVE-2026-31796Same product: Color Iccdev

CVE-2026-25582Same product: Color Iccdev

CVE-2026-30985Same product: Color Iccdev

CVE-2026-30979Same product: Color Iccdev

CVE-2026-22861Same product: Color Iccdev

CVE-2026-21678Same product: Color Iccdev

References

https://github.com/InternationalColorConsortium/iccDEV/commit/be5d7ec5cc137c084c08006aee8cd3ed378c7ac2
Patch · security-advisories@github.com
https://github.com/InternationalColorConsortium/iccDEV/issues/537
Exploit, Issue Tracking, Vendor Advisory · security-advisories@github.com
https://github.com/InternationalColorConsortium/iccDEV/pull/545
Issue Tracking, Patch · security-advisories@github.com
https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-c2qq-jf7w-rm27
Patch, Vendor Advisory · security-advisories@github.com
https://github.com/InternationalColorConsortium/iccDEV/issues/537
Exploit, Issue Tracking, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0