{"api_version":"1","generated_at":"2026-04-21T13:35:02+00:00","cve":"CVE-2026-34548","urls":{"html":"https://cve.report/CVE-2026-34548","api":"https://cve.report/api/cve/CVE-2026-34548.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-34548","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-34548"},"summary":{"title":"iccDEV: UB at IccUtilXml.cpp","description":"iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, there is an Undefined Behavior (UB) condition in the XML conversion tooling path (iccToXml) caused by an implicit conversion from a negative signed integer to icUInt32Number (unsigned 32-bit), which changes the value. This issue has been patched in version 2.3.1.6.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-03-31 23:17:09","updated_at":"2026-04-01 14:23:37"},"problem_types":["CWE-681","CWE-681 CWE-681: Incorrect Conversion between Numeric Types"],"metrics":[{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"6.2","severity":"MEDIUM","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":6.2,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"6.2","severity":"MEDIUM","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","data":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":6.2,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}}],"references":[{"url":"https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-prwp-9gv6-ccxv","name":"https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-prwp-9gv6-ccxv","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/InternationalColorConsortium/iccDEV/issues/722","name":"https://github.com/InternationalColorConsortium/iccDEV/issues/722","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/InternationalColorConsortium/iccDEV/pull/725","name":"https://github.com/InternationalColorConsortium/iccDEV/pull/725","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-34548","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34548","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"InternationalColorConsortium","product":"iccDEV","version":"affected < 2.3.1.6","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"34548","cve":"CVE-2026-34548","epss":"0.000150000","percentile":"0.033720000","score_date":"2026-04-07","updated_at":"2026-04-08 00:03:40"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-34548","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-04-01T19:00:41.176114Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-04-01T19:00:50.308Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"iccDEV","vendor":"InternationalColorConsortium","versions":[{"status":"affected","version":"< 2.3.1.6"}]}],"descriptions":[{"lang":"en","value":"iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, there is an Undefined Behavior (UB) condition in the XML conversion tooling path (iccToXml) caused by an implicit conversion from a negative signed integer to icUInt32Number (unsigned 32-bit), which changes the value. This issue has been patched in version 2.3.1.6."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":6.2,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-681","description":"CWE-681: Incorrect Conversion between Numeric Types","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-03-31T22:09:49.333Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-prwp-9gv6-ccxv","tags":["x_refsource_CONFIRM"],"url":"https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-prwp-9gv6-ccxv"},{"name":"https://github.com/InternationalColorConsortium/iccDEV/issues/722","tags":["x_refsource_MISC"],"url":"https://github.com/InternationalColorConsortium/iccDEV/issues/722"},{"name":"https://github.com/InternationalColorConsortium/iccDEV/pull/725","tags":["x_refsource_MISC"],"url":"https://github.com/InternationalColorConsortium/iccDEV/pull/725"}],"source":{"advisory":"GHSA-prwp-9gv6-ccxv","discovery":"UNKNOWN"},"title":"iccDEV: UB at IccUtilXml.cpp"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-34548","datePublished":"2026-03-31T22:09:49.333Z","dateReserved":"2026-03-30T16:31:39.264Z","dateUpdated":"2026-04-01T19:00:50.308Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-03-31 23:17:09","lastModifiedDate":"2026-04-01 14:23:37","problem_types":["CWE-681","CWE-681 CWE-681: Incorrect Conversion between Numeric Types"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":6.2,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":2.5,"impactScore":3.6}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"34548","Ordinal":"1","Title":"iccDEV: UB at IccUtilXml.cpp","CVE":"CVE-2026-34548","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"34548","Ordinal":"1","NoteData":"iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, there is an Undefined Behavior (UB) condition in the XML conversion tooling path (iccToXml) caused by an implicit conversion from a negative signed integer to icUInt32Number (unsigned 32-bit), which changes the value. This issue has been patched in version 2.3.1.6.","Type":"Description","Title":"iccDEV: UB at IccUtilXml.cpp"}]}}}