CVE-2026-27691

low-risk

Published 2026-02-25

iccDEV provides a set of libraries and tools for working with ICC color management profiles. In versions up to and including 2.3.1.4, signed integer overflow in iccFromCube.cpp during multiplication triggers undefined behavior, potentially causing crashes or incorrect ICC profile generation when processing crafted/large cube inputs. Commit 43ae18dd69fc70190d3632a18a3af2f3da1e052a fixes the issue. No known workarounds are available.

Do I need to act?

0.01% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.2/10 Medium

LOCAL / LOW complexity

Affected Products (1)

Iccdev

Affected Vendors

Color

References (4)

Patch https://github.com/InternationalColorConsortium/iccDEV/commit/43ae18dd69fc70190d...

Exploit https://github.com/InternationalColorConsortium/iccDEV/issues/607

Issue Tracking https://github.com/InternationalColorConsortium/iccDEV/pull/611

Vendor Advisory https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-...

/ 100

low-risk

Severity 20/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal