A remote code execution vulnerability exists in the way that the Color Management Module (ICM32.dll) handles objects in memory. A crafted Named Color Profile can lead to out of bound write to a heap memory due to a faulty bounds check.
High - Remote Code Execution
High - Color Profiles widely accessible through containers like images
CVE-2020-1117
A crafted Named Color Profile can lead to an out of bound write while performing color transformation.
This issue was fixed as part of May 2020 patch by fixing the faulty bounds check
Dhanesh Kizhakkinan
- 04 February 2020 - Issue reported to vendor
- 18 February 2020 - Issue confirmed
- 12 May 2020 - Issue fixed and security advisory released