CVE-2026-41254

MediumPublic PoC

Published: 18 April 2026

Published

18 April 2026

Modified

07 May 2026

KEV Added

—

Patch

—

CVSS Score 4.0 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L

EPSS Score 0.0003 8.8th percentile

Risk Priority 8 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-41254 is a medium-severity Incorrect Behavior Order (CWE-696) vulnerability in Littlecms Little Cms. Its CVSS base score is 4.0 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 8.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely remediation of the integer overflow flaw in lcms2 by installing available patches from the GitHub commits.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Enables identification of systems with vulnerable lcms2 versions through regular vulnerability scanning for CVE-2026-41254.

SI-16 Memory Protection partial match

prevent

Provides memory protections like ASLR and DEP that mitigate potential exploitation of the integer overflow leading to information disclosure or DoS.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Integer overflow in local library function enables exploitation for partial denial of service via application or system exploitation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Little CMS (lcms2) through 2.18 has an integer overflow in CubeSize in cmslut.c because the overflow check is performed after the multiplication.

Deeper analysisAI

CVE-2026-41254 is an integer overflow vulnerability in the CubeSize function within cmslut.c in Little CMS (lcms2) versions through 2.18. The flaw occurs because the overflow check is performed after the multiplication, potentially allowing incorrect handling of large values (associated with CWE-696 and CWE-190). The vulnerability was published on 2026-04-18 with a CVSS v3.1 base score of 4.0.

The vulnerability requires local access (AV:L) and high attack complexity (AC:H) to exploit, with no privileges (PR:N), no user interaction (UI:N), and unchanged scope (S:U). A successful attack could lead to low-impact confidentiality loss, such as limited information disclosure, and low-impact availability disruption, such as a partial denial of service.

Patches addressing the issue are available in the Little-CMS GitHub repository via commits da6110b1d14abc394633a388209abd5ebedd7ab0 and e0641b1828d0a1af5ecb1b11fe22f24fceefd4bc. Additional details on mitigation and the vulnerability are provided in the GitHub Security Advisory at GHSA-4xp6-rcgg-m9qq, a technical analysis at https://abhinavagarwal07.github.io/posts/lcms2-cubesize-overflow/, and an announcement on the oss-security mailing list at https://www.openwall.com/lists/oss-security/2026/04/17/16.