{"id":"CVE-2026-41254","details":"Little CMS (lcms2) through 2.18 has an integer overflow in CubeSize in cmslut.c because the overflow check is performed after the multiplication.","aliases":["GHSA-4xp6-rcgg-m9qq"],"modified":"2026-05-01T04:32:46.834147Z","published":"2026-04-18T06:43:13.741Z","database_specific":{"cna_assigner":"mitre","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41254.json","cwe_ids":["CWE-696"]},"references":[{"type":"WEB","url":"https://abhinavagarwal07.github.io/posts/lcms2-cubesize-overflow/"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41254.json"},{"type":"FIX","url":"https://github.com/mm2/Little-CMS/commit/da6110b1d14abc394633a388209abd5ebedd7ab0"},{"type":"FIX","url":"https://github.com/mm2/Little-CMS/commit/e0641b1828d0a1af5ecb1b11fe22f24fceefd4bc"},{"type":"ADVISORY","url":"https://github.com/mm2/Little-CMS/security/advisories/GHSA-4xp6-rcgg-m9qq"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41254"},{"type":"WEB","url":"https://www.openwall.com/lists/oss-security/2026/04/17/16"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mm2/little-cms","events":[{"introduced":"0"},{"last_affected":"35b57af4e1a4d6d7a40ba188f9f4efb7857ff511"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"last_affected":"2.18"}],"source":"AFFECTED_FIELD"}}],"versions":["2.11","2.12","lcm2.16rc1","lcms2-2.7","lcms2.10","lcms2.10rc1","lcms2.12","lcms2.12rc1","lcms2.12rc2","lcms2.13","lcms2.13.1","lcms2.13rc1","lcms2.15","lcms2.15rc1","lcms2.16rc1","lcms2.17","lcms2.17rc0","lcms2.18","lcms2.18rc_1","lcms2.2","lcms2.2rc0","lcms2.2rc1","lcms2.2rc2","lcms2.3","lcms2.3rc1","lcms2.3rc2","lcms2.3rc3","lcms2.4","lcms2.4rc1","lcms2.4rc2","lcms2.5","lcms2.5rc1","lcms2.5rc2","lcms2.5rc3","lcms2.6","lcms2.6rc0","lcms2.6rc1","lcms2.6rc3","lcms2.7rc1","lcms2.7rc2","lcms2.7rc3","lcms2.8","lcms2.8rc2","lcms2.9","lcms2.9rc1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-41254.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L"}]}