CVE-2026-21487
Published: 06 January 2026
Summary
CVE-2026-21487 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Color Iccdev. Its CVSS base score is 6.1 (Medium).
Operationally, ranked at the 9.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-21487 is a vulnerability in iccDEV, a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below suffer from an out-of-bounds read, use of out-of-range pointer offset, and improper input validation in the CIccProfile::LoadTag function. Published on 2026-01-06, it carries a CVSS v3.1 base score of 6.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H) and maps to CWEs 20 (Improper Input Validation), 125 (Out-of-bounds Read), and 823 (Use of Out-of-range Pointer Offset).
The vulnerability can be exploited by a local attacker with no privileges required, though it demands low attack complexity and user interaction, such as convincing a user to process a specially crafted ICC profile. Successful exploitation enables limited disclosure of sensitive information from memory alongside a high-impact denial of service, potentially leading to application crashes or instability without affecting integrity.
Mitigation is available via an update to iccDEV version 2.3.1.2, which addresses the flaws in CIccProfile::LoadTag. Official details are documented in the project's GitHub security advisory (GHSA-xq7x-9524-f7cp), related issue (#340), and the fixing commit (1516e2cafc253bb06fd3700d589a4ed0f09f7bd6). Security practitioners should prioritize patching affected systems handling ICC profiles.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1154
Vulnerability details
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below have an Out-of-bounds Read, Use of Out-of-range Pointer Offset and have Improper Input Validation in its CIccProfile::LoadTag function. This issue is…
more
fixed in version 2.3.1.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Insufficient information to map techniques.CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of ICC profile input to CIccProfile::LoadTag before processing, blocking the malformed data that triggers the OOB read and pointer offset.
Mandates timely application of the vendor patch (v2.3.1.2) that corrects the input-validation flaw in LoadTag.
Implements memory-access protections that can block or contain the out-of-bounds read and out-of-range pointer offset during profile parsing.