CVE-2026-25634
Published: 06 February 2026
Summary
CVE-2026-25634 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Color Iccdev. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 5.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely identification, reporting, and correction of the buffer overlap flaw in iccDEV via patching to version 2.3.1.4 or later.
Implements memory protection mechanisms such as stack canaries, ASLR, and DEP to prevent exploitation of the overlapping SrcPixel and DestPixel stack buffers leading to out-of-bounds writes.
Requires vulnerability scanning to identify systems running vulnerable iccDEV versions prior to 2.3.1.4, enabling prioritization of remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Memory corruption (out-of-bounds write/write-what-where) in client-side ICC profile processing library enables arbitrary code execution when a user processes a malicious profile file (T1203 Exploitation for Client Execution via T1204.002 Malicious File).
NVD Description
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to 2.3.1.4, SrcPixel and DestPixel stack buffers overlap in CIccTagMultiProcessElement::Apply() int IccTagMPE.cpp. This vulnerability is fixed in 2.3.1.4.
Deeper analysisAI
CVE-2026-25634 affects the iccDEV library, a set of libraries and tools for interacting with, manipulating, and applying ICC color management profiles. In versions prior to 2.3.1.4, the SrcPixel and DestPixel stack buffers overlap in the CIccTagMultiProcessElement::Apply() function in IccTagMPE.cpp. This issue is associated with CWEs including CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-123 (Write-what-where Condition), CWE-628 (Function Call with Incorrectly Specified Arguments), CWE-682 (Incorrect Calculation of Buffer Size), and CWE-787 (Out-of-bounds Write).
The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). An unprivileged local attacker can exploit it with low complexity by tricking a user into processing a specially crafted ICC profile, potentially achieving high confidentiality, integrity, and availability impacts such as arbitrary code execution through buffer manipulation.
Mitigation is available in iccDEV version 2.3.1.4, which includes the fixing commit at https://github.com/InternationalColorConsortium/iccDEV/commit/9206e0b8684e4cf4186d9ae768f16760bc1af9ff. Additional details are provided in the GitHub security advisory at https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-35rg-jcmp-583h, issue #577 at https://github.com/InternationalColorConsortium/iccDEV/issues/577, pull request #579 at https://github.com/InternationalColorConsortium/iccDEV/pull/579, and release notes at https://github.com/InternationalColorConsortium/iccDEV/releases/tag/v2.3.1.4. Security practitioners should prioritize updating affected iccDEV instances to 2.3.1.4 or later.
Details
- CWE(s)