Little CMS (lcms2) through 2.18 has an integer overflow in CubeSize in cmslut.c because the overflow check is performed after the multiplication.

The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dla-4568 advisory.

    - -------------------------------------------------------------------------     Debian LTS Advisory DLA-4568-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                           Chris Lamb     May 06, 2026                                  https://wiki.debian.org/LTS
    - -------------------------------------------------------------------------

    Package        : lcms2     Version        : 2.8-4+deb9u2     CVE ID         : CVE-2026-41254     Debian Bug     : 1134335

    It was discovered that there was an integer overflow vulnerability in     lcms2, aka Little CMS.

    For Debian 11 bullseye, this problem has been fixed in version     2.8-4+deb9u2.

    We recommend that you upgrade your lcms2 packages.

    For the detailed security status of lcms2 please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/lcms2

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-8209-1 advisory.

    It was discovered that Little CMS incorrectly handled certain malformed ICC profiles. An attacker could     use this issue to cause Little CMS to crash, resulting in a denial of service, or possibly execute     arbitrary code.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the ca62e49c-4150-11f1-95f7-00a098b42aeb advisory.

    https://github.com/mm2/Little-CMS/commit/da6110b1d14abc394633a388209abd5ebedd7ab0 reports:
    Little CMS (lcms2) through 2.18 has an integer overflow in               CubeSize in cmslut.c because the overflow check is performed after               the multiplication.

Tenable has extracted the preceding description block directly from the FreeBSD security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Little CMS (lcms2) through 2.18 has an integer overflow in CubeSize in cmslut.c because the overflow check     is performed after the multiplication. (CVE-2026-41254)

Note that Nessus relies on the presence of the package as reported by the vendor.

ID	Name	Product	Family	Severity
313109	Debian dla-4568 : liblcms2-2 - security update	Nessus	Debian Local Security Checks	high
310735	Ubuntu 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS : Little CMS vulnerability (USN-8209-1)	Nessus	Ubuntu Local Security Checks	high
310390	FreeBSD : lcms2 -- Integer overflow (ca62e49c-4150-11f1-95f7-00a098b42aeb)	Nessus	FreeBSD Local Security Checks	high
307441	Linux Distros Unpatched Vulnerability : CVE-2026-41254	Nessus	Misc.	high

Detections

Analytics

CVE-2026-41254

high

Tenable Plugins

high

high

high

high