CVE-2026-34556

Name of the Vulnerable Software and Affected Versions iccDEV versions prior to 2.3.1.6

Description iccDEV provides libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, a heap-buffer-overflow (HBO) exists in the icAnsiToUtf8() function within the XML conversion path. This issue is triggered by a crafted ICC profile that causes icAnsiToUtf8(std::string&, char const*) to treat an input buffer as a C-string and perform operations relying on strlen() and null-termination. AddressSanitizer reports an out-of-bounds read of size 115 past a 114-byte heap allocation, observed when running the iccToXml tool.

Recommendations Versions prior to 2.3.1.6 should be updated to version 2.3.1.6 or later.