CVE-2026-41254

Exploit

EPSS 0.03%
Veröffentlicht 18.04.2026 06:43:13
Zuletzt bearbeitet 07.05.2026 18:16:19
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

Little CMS (lcms2) through 2.18 has an integer overflow in CubeSize in cmslut.c because the overflow check is performed after the multiplication.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 9

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Littlecms ≫ Little Cms Version <= 2.18

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.088

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
cve@mitre.org	4	1.4	2.5	CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L

CWE-190 Integer Overflow or Wraparound

The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.

CWE-696 Incorrect Behavior Order

The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways which may produce resultant weaknesses.

https://github.com/mm2/Little-CMS/commit/da6110b1d14abc394633a388209abd5ebedd7ab0

Patch

https://github.com/mm2/Little-CMS/commit/e0641b1828d0a1af5ecb1b11fe22f24fceefd4bc

Patch

https://www.openwall.com/lists/oss-security/2026/04/17/16

Third Party Advisory

Mailing List

https://github.com/mm2/Little-CMS/security/advisories/GHSA-4xp6-rcgg-m9qq

Broken Link

https://abhinavagarwal07.github.io/posts/lcms2-cubesize-overflow/