Integer Overflow Vulnerability in Little CMS by mm2
CVE-2026-41254

4MEDIUM

Key Information:

Vendor: Littlecms
Status: Little Cms Color Engine
Vendor: CVE Published:; 18 April 2026

What is CVE-2026-41254?

The vulnerability in Little CMS 2.18 is an integer overflow that occurs within the CubeSize function of the cmslut.c file. The issue arises because the overflow check takes place after the multiplication operation, leading to potential incorrect calculations. This flaw could be exploited to compromise the integrity of data processing within applications leveraging Little CMS for color management. Users are advised to apply the necessary patches to mitigate potential security risks associated with this vulnerability.

Affected Version(s)

little cms color engine 0 <= 2.18

References

https://github.com/mm2/Little-CMS/commit/da6110b1d14abc39...

https://github.com/mm2/Little-CMS/commit/e0641b1828d0a1af...

https://www.openwall.com/lists/oss-security/2026/04/17/16

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 18, 2026
Vulnerability Reserved
Apr 18, 2026

CVE-2026-41254 Data

JSON

Littlecms

What is CVE-2026-41254?

Affected Version(s)

References

CVSS V3.1

Timeline