CVE-2026-21489

Medium

Published: 06 January 2026

Published

06 January 2026

Modified

14 January 2026

KEV Added

—

Patch

—

CVSS Score 6.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H

EPSS Score 0.0002 6.8th percentile

Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21489 is a medium-severity Out-of-bounds Read (CWE-125) vulnerability in Color Iccdev. Its CVSS base score is 6.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 6.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Malicious File (T1204.002).

Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

Why these techniques?

Vulnerability in ICC profile parsing enables delivery and execution of malicious files (requiring user interaction) to trigger OOB read/integer underflow for DoS and limited data disclosure.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below have Out-of-bounds Read and Integer Underflow (Wrap or Wraparound) vulnerabilities in its CIccCalculatorFunc::SequenceNeedTempReset function. This issue is fixed in version 2.3.1.2.

Deeper analysisAI

CVE-2026-21489 affects iccDEV, a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and earlier contain out-of-bounds read (CWE-125) and integer underflow (wrap or wraparound, CWE-191) vulnerabilities in the CIccCalculatorFunc::SequenceNeedTempReset function. The issue was disclosed on January 6, 2026, with a CVSS v3.1 base score of 6.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H) and resolved in version 2.3.1.2.

An attacker with local access can exploit this vulnerability with low complexity and no privileges required, but it necessitates user interaction, such as opening a malicious ICC profile. Successful exploitation may result in limited disclosure of sensitive information alongside high-impact availability disruption, such as application crashes or denial of service, due to the out-of-bounds read and integer underflow.

The official GitHub security advisory (GHSA-ph89-6q5h-wfw5) and fixing commit (cfabfe52c9c7eb0481b62c8aad56580bb11efdad) recommend upgrading to iccDEV version 2.3.1.2, which addresses the flaws in the affected function. No additional workarounds are specified in the provided references.

Details

CWE(s): CWE-125 CWE-191

Affected Products

color

iccdev

≤ 2.3.1.2

CVEs Like This One

CVE-2026-21494Same product: Color Iccdev

CVE-2026-21490Same product: Color Iccdev

CVE-2026-21488Same product: Color Iccdev

CVE-2026-21679Same product: Color Iccdev

CVE-2026-22255Same product: Color Iccdev

CVE-2026-21504Same product: Color Iccdev

CVE-2026-21687Same product: Color Iccdev

CVE-2026-25583Same product: Color Iccdev

CVE-2026-21501Same product: Color Iccdev

CVE-2026-21491Same product: Color Iccdev

References

https://github.com/InternationalColorConsortium/iccDEV/commit/cfabfe52c9c7eb0481b62c8aad56580bb11efdad
Patch · security-advisories@github.com
https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-ph89-6q5h-wfw5
Vendor Advisory · security-advisories@github.com