Cyber Posture

CVE-2026-21490

MediumPublic PoC

Published: 06 January 2026

Published
06 January 2026
Modified
12 January 2026
KEV Added
Patch
CVSS Score 6.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
EPSS Score 0.0003 8.0th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21490 is a medium-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Color Iccdev. Its CVSS base score is 6.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 8.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Malicious File (T1204.002).
Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
attack.mitre.org →
Why these techniques?

Heap buffer overflow triggered by processing a malicious ICC profile file requires user execution of untrusted content, directly mapping to delivery/execution of a malicious file.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. A vulnerability present in versions prior to 2.3.1.2 affects users of the iccDEV library who process…

more

ICC color profiles. It results in heap buffer overflow in `CIccTagLut16::Validate()`. Version 2.3.1.2 contains a patch. No known workarounds are available.

Deeper analysisAI

CVE-2026-21490 is a heap buffer overflow vulnerability in the iccDEV library, a set of libraries and tools for interacting with, manipulating, and applying International Color Consortium (ICC) color management profiles. The flaw resides in the `CIccTagLut16::Validate()` function and affects all versions prior to 2.3.1.2. Applications or systems that process untrusted ICC color profiles using this library are vulnerable, potentially leading to memory corruption during profile validation.

Exploitation requires local access (AV:L) with low complexity (AC:L), no privileges (PR:N), and user interaction (UI:R), such as convincing a user to open or process a malicious ICC profile. A successful attack can result in high availability impact (A:H) through application crashes or denial of service, with low confidentiality impact (C:L) but no integrity impact (I:N) and unchanged scope (S:U). The vulnerability maps to CWEs-122 (Heap-based Buffer Overflow), CWE-125 (Out-of-bounds Read), and CWE-193 (Off-by-one Error), with a CVSS v3.1 base score of 6.1 (Medium).

Mitigation is available via upgrading to iccDEV version 2.3.1.2, which includes a patch addressing the issue, as detailed in GitHub commits 7c2cb719a9de1c00844e457e070d657314383ee3 and e91fe722ac54ce497d410153e7405090e0565d7b, issue #397, and security advisory GHSA-9q9c-699q-xr2q. No workarounds are known.

Details

CWE(s)
CWE-122CWE-125CWE-193

Affected Products

color
iccdev
≤ 2.3.1.2

CVEs Like This One

CVE-2026-21494Same product: Color Iccdev
CVE-2026-21491Same product: Color Iccdev
CVE-2026-21504Same product: Color Iccdev
CVE-2026-21488Same product: Color Iccdev
CVE-2026-21489Same product: Color Iccdev
CVE-2026-25583Same product: Color Iccdev
CVE-2026-21679Same product: Color Iccdev
CVE-2026-22255Same product: Color Iccdev
CVE-2026-24852Same product: Color Iccdev
CVE-2026-21687Same product: Color Iccdev

References