CVE-2026-25582

HighPublic PoC

Published: 04 February 2026

Published

04 February 2026

Modified

18 February 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0001 0.6th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25582 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Color Iccdev. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 0.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely patching of the heap buffer overflow vulnerability in iccDEV prior to version 2.3.1.3, preventing exploitation via malformed XML in iccFromXml.

SI-10 Information Input Validation good match

prevent

Mandates validation of XML inputs to the iccFromXml tool, blocking malformed data that triggers the heap buffer overflow read in CIccIO::WriteUInt16Float().

SI-16 Memory Protection good match

prevent

Enforces memory protection mechanisms that mitigate heap corruption and potential arbitrary code execution from the buffer overflow vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

Why these techniques?

Heap buffer overflow in iccFromXml XML-to-ICC conversion enables client-side arbitrary code execution when a user is tricked into opening a malicious XML file, directly mapping to exploitation for client execution and malicious file delivery.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.3, there is a heap buffer overflow (read) vulnerability in CIccIO::WriteUInt16Float() when converting malformed XML to…

ICC profiles via iccFromXml tool. This issue has been patched in version 2.3.1.3.

Deeper analysisAI

CVE-2026-25582 is a heap buffer overflow (read) vulnerability in the iccDEV libraries and tools, which enable interaction, manipulation, and application of ICC color management profiles. The issue occurs in the CIccIO::WriteUInt16Float() function during conversion of malformed XML to ICC profiles using the iccFromXml tool. It affects iccDEV versions prior to 2.3.1.3 and is associated with CWEs-119, CWE-122, and CWE-787, earning a CVSS v3.1 base score of 7.8.

The vulnerability can be exploited by a local attacker with no privileges required, though it demands low attack complexity and user interaction, such as tricking a user into processing a specially crafted malicious XML file with iccFromXml. Successful exploitation leads to high impacts on confidentiality, integrity, and availability, potentially enabling heap corruption, arbitrary code execution, or system crashes without changing scope.

Mitigation is available via the patch in iccDEV version 2.3.1.3. The project's GitHub security advisory (GHSA-46hq-fphp-jggf), issue #559, pull request #561, and commit b5e5dd238f609ec1a4efb25674e7fa4bd29d894a detail the fix and resolution. Security practitioners should prioritize updating affected systems to the patched version.

Details

CWE(s): CWE-119 CWE-122 CWE-787

Affected Products

color

iccdev

≤ 2.3.1.3

CVEs Like This One

CVE-2026-31796Same product: Color Iccdev

CVE-2026-25583Same product: Color Iccdev

CVE-2026-30985Same product: Color Iccdev

CVE-2026-30979Same product: Color Iccdev

CVE-2026-25584Same product: Color Iccdev

CVE-2026-21678Same product: Color Iccdev

CVE-2026-25634Same product: Color Iccdev

CVE-2026-21676Same product: Color Iccdev

CVE-2026-30987Same product: Color Iccdev

CVE-2026-31795Same product: Color Iccdev

References

https://github.com/InternationalColorConsortium/iccDEV/commit/b5e5dd238f609ec1a4efb25674e7fa4bd29d894a
Patch · security-advisories@github.com
https://github.com/InternationalColorConsortium/iccDEV/issues/559
Exploit, Issue Tracking · security-advisories@github.com
https://github.com/InternationalColorConsortium/iccDEV/pull/561
Issue Tracking · security-advisories@github.com
https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-46hq-fphp-jggf
Vendor Advisory · security-advisories@github.com