The vulnerability CVE-2026-34533 affects iccDEV, a set of libraries and tools developed by the International Color Consortium for processing ICC color management profiles. Specifically, the issue is due to reliance on undefined, unspecified, or implementation-defined behavior (CWE-758) when handling invalid enum values in ICC profiles. In the function CIccCalculatorFunc::ApplySequence(), an attacker can craft a malicious ICC profile containing invalid values for the icChannelFuncSignature enum. When such a profile is loaded, it triggers undefined behavior detectable by Undefined Behavior Sanitizer (UBSan) as a load of an invalid enum value. This can lead to memory corruption or crashes, resulting in denial of service. The vulnerability requires local access since the attack vector involves loading a crafted ICC profile, and no user interaction or privileges are necessary. The issue affects all versions of iccDEV prior to 2.3.1.6 and has been addressed in that version. The CVSS v3.1 base score is 6.2, reflecting a medium severity with local attack vector, low complexity, no privileges required, no user interaction, and impact limited to availability. No known exploits have been reported in the wild, but the vulnerability poses a risk to applications that automatically process untrusted ICC profiles.

The primary impact of this vulnerability is denial of service due to application crashes or instability when processing malicious ICC profiles. Organizations that use iccDEV libraries in image processing, printing, or color management workflows could experience service disruptions or application failures if exposed to crafted profiles. While the vulnerability does not directly compromise confidentiality or integrity, availability impacts can affect operational continuity, especially in environments where automated ICC profile processing is integral. Attackers with local access could exploit this flaw to crash services or applications, potentially leading to downtime or requiring manual intervention. Since ICC profiles are often embedded in images or documents, there is a risk if untrusted profiles are processed without validation. The absence of known exploits reduces immediate risk, but the medium severity score and ease of triggering undefined behavior warrant prompt remediation.

Organizations should upgrade iccDEV to version 2.3.1.6 or later, where this vulnerability has been patched. Additionally, implement strict validation and sanitization of ICC profiles before processing, rejecting profiles with invalid or unexpected enum values. Employ runtime protections such as memory safety tools and Undefined Behavior Sanitizer during development and testing to detect similar issues early. Limit local access to systems processing ICC profiles to trusted users only, reducing the attack surface. Where possible, isolate ICC profile processing in sandboxed or containerized environments to contain potential crashes. Monitor application logs for UBSan or related runtime warnings indicating malformed ICC profile processing. Finally, review workflows to avoid automatic processing of untrusted ICC profiles, especially from external or unverified sources.