CVE-2026-34537

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, a crafted ICC profile can trigger Undefined Behavior (UB) in CIccOpDefEnvVar::Exec() due to invalid enum values being loaded for icSigCmmEnvVar. The issue is observable under UBSan as a “load of value … not a valid value for type icSigCmmEnvVar”, indicating an invalid enum/type value being consumed during ICC profile processing. This issue has been patched in version 2.3.1.6.

CVSS v3 6.2 MEDIUM

6.2^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.5 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/InternationalColorConsortium/iccDEV/issues/670	Issue Tracking Exploit
https://github.com/InternationalColorConsortium/iccDEV/pull/685	Issue Tracking Patch
https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-3m63-c4jf-592f	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*

History

20 Apr 2026, 13:51

Type	Values Removed	Values Added
CPE		cpe:2.3:a:color:iccdev::::::::
Summary		(es) iccDEV proporciona un conjunto de bibliotecas y herramientas para trabajar con perfiles de gestión de color ICC. Antes de la versión 2.3.1.6, un perfil ICC manipulado puede desencadenar Comportamiento Indefinido (CI) en CIccOpDefEnvVar::Exec() debido a que se cargan valores enum no válidos para icSigCmmEnvVar. El problema es observable bajo UBSan como una 'carga de valor... no es un valor válido para el tipo icSigCmmEnvVar', lo que indica que se consume un valor enum/tipo no válido durante el procesamiento del perfil ICC. Este problema ha sido parcheado en la versión 2.3.1.6.
First Time		Color Color iccdev
References	~~() https://github.com/InternationalColorConsortium/iccDEV/issues/670 -~~	() https://github.com/InternationalColorConsortium/iccDEV/issues/670 - Issue Tracking, Exploit
References	~~() https://github.com/InternationalColorConsortium/iccDEV/pull/685 -~~	() https://github.com/InternationalColorConsortium/iccDEV/pull/685 - Issue Tracking, Patch
References	~~() https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-3m63-c4jf-592f -~~	() https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-3m63-c4jf-592f - Patch, Vendor Advisory

31 Mar 2026, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-31 22:16

Updated : 2026-04-20 13:51

NVD link : CVE-2026-34537

Mitre link : CVE-2026-34537

CVE.ORG link : CVE-2026-34537

JSON object : View

Products Affected

color

iccdev

CWE

CWE-758

Reliance on Undefined, Unspecified, or Implementation-Defined Behavior

6.2 /10