Little CMS vulnerability
Published: Mon, 01 Jun 2026 16:24
Summary
Little CMS could be made to crash or run programs if it opened a specially crafted ICC profile.
Details
USN-8209-1 fixed vulnerabilities in Little CMS. This update contains the fixes for Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. Original advisory details: It was discovered that Little CMS incorrectly handled certain malformed ICC profiles. An attacker could use this issue to cause Little CMS to crash, resulting in a denial of service, or possibly execute arbitrary code.
Recommended actions per Ubuntu release
StackPatch playbook auto-generated per release codename and per affected package.
Ubuntu bionic
lcms2→2.9-1ubuntu0.1+esm1apt_upgradeStandard apt upgrade. Install 2.9-1ubuntu0.1+esm1 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y lcms2
Most apt upgrades restart their service automatically. needrestart lists anything else.
liblcms2-2→2.9-1ubuntu0.1+esm1apt_upgradeStandard apt upgrade. Install 2.9-1ubuntu0.1+esm1 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y liblcms2-2
Most apt upgrades restart their service automatically. needrestart lists anything else.
liblcms2-dev→2.9-1ubuntu0.1+esm1apt_upgradeStandard apt upgrade. Install 2.9-1ubuntu0.1+esm1 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y liblcms2-dev
Most apt upgrades restart their service automatically. needrestart lists anything else.
liblcms2-utils→2.9-1ubuntu0.1+esm1apt_upgradeStandard apt upgrade. Install 2.9-1ubuntu0.1+esm1 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y liblcms2-utils
Most apt upgrades restart their service automatically. needrestart lists anything else.
Ubuntu focal
lcms2→2.9-4ubuntu0.1~esm1apt_upgrade_esmFixed at 2.9-4ubuntu0.1~esm1 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
sudo pro attach <token> sudo apt-get update sudo apt-get install --only-upgrade -y lcms2=2.9-4ubuntu0.1~esm1
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.
liblcms2-2→2.9-4ubuntu0.1~esm1apt_upgrade_esmFixed at 2.9-4ubuntu0.1~esm1 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
sudo pro attach <token> sudo apt-get update sudo apt-get install --only-upgrade -y liblcms2-2=2.9-4ubuntu0.1~esm1
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.
liblcms2-dev→2.9-4ubuntu0.1~esm1apt_upgrade_esmFixed at 2.9-4ubuntu0.1~esm1 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
sudo pro attach <token> sudo apt-get update sudo apt-get install --only-upgrade -y liblcms2-dev=2.9-4ubuntu0.1~esm1
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.
liblcms2-utils→2.9-4ubuntu0.1~esm1apt_upgrade_esmFixed at 2.9-4ubuntu0.1~esm1 — ESM-only. Enable Ubuntu Pro (free for 5 personal machines) or treat as watch item.
sudo pro attach <token> sudo apt-get update sudo apt-get install --only-upgrade -y liblcms2-utils=2.9-4ubuntu0.1~esm1
Sign up at https://ubuntu.com/pro. Free for personal + small-team use.
Ubuntu trusty
lcms2→2.5-0ubuntu4.2+esm1apt_upgradeStandard apt upgrade. Install 2.5-0ubuntu4.2+esm1 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y lcms2
Most apt upgrades restart their service automatically. needrestart lists anything else.
liblcms2-2→2.5-0ubuntu4.2+esm1apt_upgradeStandard apt upgrade. Install 2.5-0ubuntu4.2+esm1 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y liblcms2-2
Most apt upgrades restart their service automatically. needrestart lists anything else.
liblcms2-dev→2.5-0ubuntu4.2+esm1apt_upgradeStandard apt upgrade. Install 2.5-0ubuntu4.2+esm1 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y liblcms2-dev
Most apt upgrades restart their service automatically. needrestart lists anything else.
liblcms2-utils→2.5-0ubuntu4.2+esm1apt_upgradeStandard apt upgrade. Install 2.5-0ubuntu4.2+esm1 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y liblcms2-utils
Most apt upgrades restart their service automatically. needrestart lists anything else.
Ubuntu xenial
lcms2→2.6-3ubuntu2.1+esm1apt_upgradeStandard apt upgrade. Install 2.6-3ubuntu2.1+esm1 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y lcms2
Most apt upgrades restart their service automatically. needrestart lists anything else.
liblcms2-2→2.6-3ubuntu2.1+esm1apt_upgradeStandard apt upgrade. Install 2.6-3ubuntu2.1+esm1 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y liblcms2-2
Most apt upgrades restart their service automatically. needrestart lists anything else.
liblcms2-dev→2.6-3ubuntu2.1+esm1apt_upgradeStandard apt upgrade. Install 2.6-3ubuntu2.1+esm1 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y liblcms2-dev
Most apt upgrades restart their service automatically. needrestart lists anything else.
liblcms2-utils→2.6-3ubuntu2.1+esm1apt_upgradeStandard apt upgrade. Install 2.6-3ubuntu2.1+esm1 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y liblcms2-utils
Most apt upgrades restart their service automatically. needrestart lists anything else.
Are YOU affected by USN-8209-2?
5-second check on your actual server. Reads /etc/os-release, uname -r, and dpkg-query; matches against the live USN + Debian Security Tracker feeds; tells you whether USN-8209-2 (and any other live CVE) applies. Anonymous, no signup.
curl https://mindsparkstack.com/scan.sh | bash
StackPatch runs this match against YOUR installed packages every hour
Free 1-server / $99 lifetime founder seat (50 only) / $19+/mo monthly. Indie pricing.