CVE-2026-41254
Medium
Low
Medium
High
Critical
4.0
CVSS Score
Vulnerability Description
Little CMS (lcms2) through 2.18 has an integer overflow in CubeSize in cmslut.c because the overflow check is performed after the multiplication.
CVSS Metrics
Common Vulnerability Scoring System
Vector String:
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
Attack Vector
L
Attack Complexity
H
Privileges Required
N
User Interaction
N
Scope
U
Confidentiality
L
Integrity
N
Availability
L
References & Resources
-
https://abhinavagarwal07.github.io/posts/lcms2-cubesize-overflow/cve@mitre.org
-
https://github.com/mm2/Little-CMS/commit/da6110b1d14abc394633a388209abd5ebedd7ab0cve@mitre.org
-
https://github.com/mm2/Little-CMS/commit/e0641b1828d0a1af5ecb1b11fe22f24fceefd4bccve@mitre.org
-
https://github.com/mm2/Little-CMS/security/advisories/GHSA-4xp6-rcgg-m9qqcve@mitre.org
-
https://www.openwall.com/lists/oss-security/2026/04/17/16cve@mitre.org
Severity Details
4.0
out of 10.0
Medium
Weakness Type (CWE)
CWE-696
Incorrect Behavior Order
- Description
- The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways which may produce resultant weaknesses.
- Typical Severity
- Medium
- Abstraction Level
- Class
Key Information
- Published Date
- April 18, 2026
