Vulnerability Note VU#369800

Little CMS 2 DefaultICCintents double-free vulnerability

Original Release date: 04 May 2016 | Last revised: 04 May 2016


Little CMS 2 contains a double-free vulnerability in the DefaultICCintents function, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.


Little CMS is an open-source color management engine that supports the International Color Consortium (ICC) standard. Little CMS 2.5 and earlier 2.x versions (liblcms2) contain a double-free vulnerability in the DefaultICCintents() function, which is provided in cmscnvrt.c. When the "Lut" cmsPipeline object is freed more than once, this can result in an exploitable memory corruption situation.

Although this issue was addressed in 2013, it was not assigned a CVE identifier at that time. Because of this, some vendors may not have upgraded liblcms2 to a version that contains the fix for this vulnerability.


By causing an application to process a malformed ICC profile, a remote, unauthenticated attacker may be able to cause arbitrary code execution with the privileges of the application that uses the Little CMS library. Exploitability of the vulnerability depends on how the application uses liblcms2 and what capabilities are exposed to an attacker.


Apply an update

This issue is resolved in Little CMS 2.6. Please check with your vendor for update availability.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Arch LinuxAffected29 Apr 201603 May 2016
CentOSAffected29 Apr 201604 May 2016
Debian GNU/LinuxAffected29 Apr 201604 May 2016
Fedora ProjectAffected29 Apr 201604 May 2016
Gentoo LinuxAffected29 Apr 201604 May 2016
openSUSE projectAffected29 Apr 201604 May 2016
Red Hat, Inc.Affected29 Apr 201604 May 2016
Slackware Linux Inc.Affected29 Apr 201604 May 2016
SUSE LinuxAffected29 Apr 201604 May 2016
TurbolinuxAffected29 Apr 201604 May 2016
UbuntuAffected29 Apr 201604 May 2016
Arista Networks, Inc.Not Affected29 Apr 201602 May 2016
LenovoNot Affected02 May 201603 May 2016
AppleUnknown29 Apr 201629 Apr 2016
CoreOSUnknown29 Apr 201629 Apr 2016
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal 7.4 E:U/RL:OF/RC:C
Environmental 7.4 CDP:ND/TD:H/CR:ND/IR:ND/AR:ND



This vulnerability was corrected in 2013 by Marti Maria, and was independently discovered by Will Dormann of the CERT/CC.

This document was written by Will Dormann.

Other Information

  • CVE IDs: CVE-2013-7455
  • Date Public: 10 Jul 2013
  • Date First Published: 04 May 2016
  • Date Last Updated: 04 May 2016
  • Document Revision: 15


If you have feedback, comments, or additional information about this vulnerability, please send us email.