CVE-2026-22047

HighPublic PoC

Published: 07 January 2026

Published

07 January 2026

Modified

14 January 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0013 31.6th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a heap-buffer-overflow vulnerability in `SIccCalcOp::Describe()` at `IccProfLib/IccMpeCalc.cpp`. This vulnerability affects users…

of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Mandates timely remediation of identified software flaws, directly requiring patching of the heap-buffer-overflow in iccDEV versions prior to 2.3.1.2.

SI-16 Memory Protection partial match

prevent

Implements memory protection mechanisms to prevent unauthorized code execution from heap buffer overflow exploits in the iccDEV library.

SI-10 Information Input Validation partial match

prevent

Requires validation of untrusted inputs like ICC color profiles to address improper input handling leading to the buffer overflow.

Security SummaryAI

CVE-2026-22047 is a heap-buffer-overflow vulnerability in the iccDEV library, which provides tools and libraries for interacting with, manipulating, and applying International Color Consortium (ICC) color management profiles. The flaw resides in the `SIccCalcOp::Describe()` function within `IccProfLib/IccMpeCalc.cpp` and affects all versions prior to 2.3.1.2. Applications or systems that process untrusted ICC color profiles using the vulnerable iccDEV library are at risk.

Attackers can exploit this vulnerability remotely over the network with low complexity and no required privileges, though user interaction is necessary, such as convincing a user to open or process a malicious ICC profile. Successful exploitation leads to high-impact confidentiality, integrity, and availability consequences (CVSS 8.8), potentially enabling arbitrary code execution, data corruption, or denial of service via heap overflow. The issue maps to CWEs including CWE-787 (Out-of-bounds Write), CWE-252 (Unchecked Return Value), CWE-130 (Improper Handling of Length Parameter Inconsistency), and CWE-20 (Improper Input Validation).

The official patch is available in iccDEV version 2.3.1.2, as detailed in the project's GitHub security advisory (GHSA-22q7-8347-79m5), pull request #459, and issue #454. No workarounds are known, so security practitioners should prioritize upgrading affected libraries and scanning for vulnerable versions in dependent software.

Details

CWE(s): CWE-20 CWE-130 CWE-252 CWE-787

Affected Products

color

iccdev

≤ 2.3.1.2

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Heap-buffer-overflow in iccDEV library enables arbitrary code execution via exploitation of client software processing untrusted ICC profiles, directly mapping to Exploitation for Client Execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/InternationalColorConsortium/iccDEV/issues/454
Exploit, Issue Tracking · security-advisories@github.com
https://github.com/InternationalColorConsortium/iccDEV/pull/459
Patch · security-advisories@github.com
https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-22q7-8347-79m5
Patch, Vendor Advisory · security-advisories@github.com
https://github.com/InternationalColorConsortium/iccDEV/issues/454
Exploit, Issue Tracking · 134c704f-9b21-4f2e-91b3-4a467353bcc0