← Back ⬡ Vulnerabilities & CVEs Apr 01, 2026

CVE-2026-34537 | InternationalColorConsortium iccDEV 2.3.1.1/2.3.1.2/2.3.1.3/2.3.1.4/2.3.1.5 ICC Color Profile CIccOpDefEnvVar::Exec reliance on undefined, unspecified, or implementation-defined behavior (ID 670)

VulDB Archived Apr 01, 2026 ✓ Full text saved

A vulnerability was found in InternationalColorConsortium iccDEV 2.3.1.1/2.3.1.2/2.3.1.3/2.3.1.4/2.3.1.5 . It has been declared as problematic . The impacted element is the function CIccOpDefEnvVar::Exec of the component ICC Color Profile Handler . The manipulation results in reliance on undefined, unspecified, or implementation-defined behavior. This vulnerability is known as CVE-2026-34537 . It is possible to launch the attack remotely. No exploit is available. It is recommended to upgrade the

Full text archived locally

✦ AI Summary · Claude Sonnet

VDB-354571 · CVE-2026-34537 · ID 670 INTERNATIONALCOLORCONSORTIUM ICCDEV 2.3.1.1/2.3.1.2/2.3.1.3/2.3.1.4/2.3.1.5 ICC COLOR PROFILE CICCOPDEFENVVAR::EXEC RELIANCE ON UNDEFINED, UNSPECIFIED, OR IMPLEMENTATION-DEFINED BEHAVIOR HISTORYDIFFRELATEJSONXMLCTI CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score 5.1 $0-$5k 1.50+ Summaryinfo A vulnerability was found in InternationalColorConsortium iccDEV. It has been rated as problematic. This affects the function CIccOpDefEnvVar::Exec of the component ICC Color Profile Handler. This manipulation causes reliance on undefined, unspecified, or implementation-defined behavior. This vulnerability is handled as CVE-2026-34537. The attack can be initiated remotely. There is not any exploit available. Upgrading the affected component is advised. Detailsinfo A vulnerability was found in InternationalColorConsortium iccDEV. It has been declared as problematic. Affected by this vulnerability is the function CIccOpDefEnvVar::Exec of the component ICC Color Profile Handler. The manipulation with an unknown input leads to a reliance on undefined, unspecified, or implementation-defined behavior vulnerability. The CWE definition for the vulnerability is CWE-758. The product uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity. As an impact it is known to affect availability. The summary by CVE is: iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, a crafted ICC profile can trigger Undefined Behavior (UB) in CIccOpDefEnvVar::Exec() due to invalid enum values being loaded for icSigCmmEnvVar. The issue is observable under UBSan as a “load of value … not a valid value for type icSigCmmEnvVar”, indicating an invalid enum/type value being consumed during ICC profile processing. This issue has been patched in version 2.3.1.6. It is possible to read the advisory at github.com. This vulnerability is known as CVE-2026-34537 since 03/30/2026. The exploitation appears to be easy. The attack can be launched remotely. The exploitation doesn't need any form of authentication. It demands that the victim is doing some kind of user interaction. Technical details of the vulnerability are known, but there is no available exploit. Upgrading to version 2.3.1.6 eliminates this vulnerability. Applying a patch is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version. Productinfo Vendor InternationalColorConsortium Name iccDEV Version 2.3.1.1 2.3.1.2 2.3.1.3 2.3.1.4 2.3.1.5 Website Product: https://github.com/InternationalColorConsortium/iccDEV/ CPE 2.3info 🔒 🔒 🔒 CPE 2.2info 🔒 🔒 🔒 CVSSv4info VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv3info VulDB Meta Base Score: 5.2 VulDB Meta Temp Score: 5.1 VulDB Base Score: 4.3 VulDB Temp Score: 4.1 VulDB Vector: 🔒 VulDB Reliability: 🔍 CNA Base Score: 6.2 CNA Vector (GitHub_M): 🔒 CVSSv2info Vector Complexity Authentication Confidentiality Integrity Availability Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock VulDB Base Score: 🔒 VulDB Temp Score: 🔒 VulDB Reliability: 🔍 Exploitinginfo Class: Reliance on undefined, unspecified, or implementation-defined behavior CWE: CWE-758 CAPEC: 🔒 ATT&CK: 🔒 Physical: Partially Local: Yes Remote: Yes Availability: 🔒 Status: Not defined Price Prediction: 🔍 Current Price Estimation: 🔒 0-Day Unlock Unlock Unlock Unlock Today Unlock Unlock Unlock Unlock Threat Intelligenceinfo Interest: 🔍 Active Actors: 🔍 Active APT Groups: 🔍 Countermeasuresinfo Recommended: Upgrade Status: 🔍 0-Day Time: 🔒 Upgrade: iccDEV 2.3.1.6 Patch: github.com Timelineinfo 03/30/2026 CVE reserved 04/01/2026 +2 days Advisory disclosed 04/01/2026 +0 days VulDB entry created 04/01/2026 +0 days VulDB entry last update Sourcesinfo Product: github.com Advisory: 670 Status: Confirmed CVE: CVE-2026-34537 (🔒) GCVE (CVE): GCVE-0-2026-34537 GCVE (VulDB): GCVE-100-354571 Entryinfo Created: 04/01/2026 04:23 Changes: 04/01/2026 04:23 (66) Complete: 🔍 Cache ID: 99:1C0:101 Discussion No comments yet. Languages: en. Please log in to comment. ◂ PreviousOverviewNext ▸

💬 Team Notes