CVE-2026-21490
Published: 06 January 2026
Summary
CVE-2026-21490 is a medium-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Color Iccdev. Its CVSS base score is 6.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 3.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-21490 is a heap buffer overflow vulnerability in the iccDEV library, a set of libraries and tools for interacting with, manipulating, and applying International Color Consortium (ICC) color management profiles. The flaw resides in the `CIccTagLut16::Validate()` function and affects all versions prior to 2.3.1.2. Applications or systems that process untrusted ICC color profiles using this library are vulnerable, potentially leading to memory corruption during profile validation.
Exploitation requires local access (AV:L) with low complexity (AC:L), no privileges (PR:N), and user interaction (UI:R), such as convincing a user to open or process a malicious ICC profile. A successful attack can result in high availability impact (A:H) through application crashes or denial of service, with low confidentiality impact (C:L) but no integrity impact (I:N) and unchanged scope (S:U). The vulnerability maps to CWEs-122 (Heap-based Buffer Overflow), CWE-125 (Out-of-bounds Read), and CWE-193 (Off-by-one Error), with a CVSS v3.1 base score of 6.1 (Medium).
Mitigation is available via upgrading to iccDEV version 2.3.1.2, which includes a patch addressing the issue, as detailed in GitHub commits 7c2cb719a9de1c00844e457e070d657314383ee3 and e91fe722ac54ce497d410153e7405090e0565d7b, issue #397, and security advisory GHSA-9q9c-699q-xr2q. No workarounds are known.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1144
Vulnerability details
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. A vulnerability present in versions prior to 2.3.1.2 affects users of the iccDEV library who process…
more
ICC color profiles. It results in heap buffer overflow in `CIccTagLut16::Validate()`. Version 2.3.1.2 contains a patch. No known workarounds are available.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap buffer overflow triggered by processing a malicious ICC profile file requires user execution of untrusted content, directly mapping to delivery/execution of a malicious file.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the vendor patch in version 2.3.1.2 that eliminates the heap overflow in CIccTagLut16::Validate().
Mandates robust validation of untrusted ICC profile input to block malformed data that triggers the buffer overflow during Validate().
Requires memory-protection mechanisms that can prevent or contain exploitation of the heap buffer overflow in the library.