Cyber Resilience

CVE-2026-21487

MediumPublic PoC

Published: 06 January 2026

Published
06 January 2026
Modified
12 January 2026
KEV Added
Patch
CVSS Score v3.1 6.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
EPSS Score 0.0003 9.8th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21487 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Color Iccdev. Its CVSS base score is 6.1 (Medium).

Operationally, ranked at the 9.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-21487 is a vulnerability in iccDEV, a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below suffer from an out-of-bounds read, use of out-of-range pointer offset, and improper input validation in the CIccProfile::LoadTag function. Published on 2026-01-06, it carries a CVSS v3.1 base score of 6.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H) and maps to CWEs 20 (Improper Input Validation), 125 (Out-of-bounds Read), and 823 (Use of Out-of-range Pointer Offset).

The vulnerability can be exploited by a local attacker with no privileges required, though it demands low attack complexity and user interaction, such as convincing a user to process a specially crafted ICC profile. Successful exploitation enables limited disclosure of sensitive information from memory alongside a high-impact denial of service, potentially leading to application crashes or instability without affecting integrity.

Mitigation is available via an update to iccDEV version 2.3.1.2, which addresses the flaws in CIccProfile::LoadTag. Official details are documented in the project's GitHub security advisory (GHSA-xq7x-9524-f7cp), related issue (#340), and the fixing commit (1516e2cafc253bb06fd3700d589a4ed0f09f7bd6). Security practitioners should prioritize patching affected systems handling ICC profiles.

EU & UK References

Vulnerability details

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below have an Out-of-bounds Read, Use of Out-of-range Pointer Offset and have Improper Input Validation in its CIccProfile::LoadTag function. This issue is…

more

fixed in version 2.3.1.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.
Confidence: LOW · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-21678Same product: Color Iccdev
CVE-2026-21681Same product: Color Iccdev
CVE-2026-21501Same product: Color Iccdev
CVE-2026-21684Same product: Color Iccdev
CVE-2026-21683Same product: Color Iccdev
CVE-2026-24412Same product: Color Iccdev
CVE-2026-24403Same product: Color Iccdev
CVE-2026-21686Same product: Color Iccdev
CVE-2026-21489Same product: Color Iccdev
CVE-2026-21677Same product: Color Iccdev

Affected Assets

color
iccdev
≤ 2.3.1.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of ICC profile input to CIccProfile::LoadTag before processing, blocking the malformed data that triggers the OOB read and pointer offset.

prevent

Mandates timely application of the vendor patch (v2.3.1.2) that corrects the input-validation flaw in LoadTag.

prevent

Implements memory-access protections that can block or contain the out-of-bounds read and out-of-range pointer offset during profile parsing.

References