Fluid Attacks Database

Description

A heap buffer overflow vulnerability has been identified in thesmooth2() in cmsgamma.c in lcms2-2.16 which allows a remote attacker to cause a denial of service. NOTE: the Supplier disputes this because "this is not exploitable as this function is never called on normal color management, is there only as a helper for low-level programming and investigation."

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version
debian 11	lcms2	=2.12~rc1-2 \|\| =2.13.1-1 \|\| =2.14-1 \|\| =2.14-2 \|\| =2.16-1 \|\| =2.16-2 \|\| =2.17-1
debian 12	lcms2	=2.14-2 \|\| =2.16-1 \|\| =2.16-2 \|\| =2.17-1
debian 13	lcms2	=2.16-2 \|\| =2.17-1
debian 14	lcms2	=2.16-2 \|\| =2.17-1

Aliases

1. CVE-2025-290702. NVD-2025-290703. OSV-DEBIAN-2025-290704. OSV-2025-290705. SECURITY-TRACKER-CVE-2025-29070

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.