CVE-2026-21491
Published: 06 January 2026
Summary
CVE-2026-21491 is a medium-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Color Iccdev. Its CVSS base score is 6.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 8.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local file-processing buffer overflow enables malicious ICC profile delivery (T1204.002) and application DoS via heap corruption (T1499.004); limited C impact and absent I impact reduce RCE mappings.
NVD Description
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. A vulnerability present in versions prior to 2.3.1.2 affects users of the iccDEV library who process…
more
ICC color profiles. It results in unicode buffer overflow in `CIccTagTextDescription`. Version 2.3.1.2 contains a patch. No known workarounds are available.
Deeper analysisAI
CVE-2026-21491 is a unicode buffer overflow vulnerability in the iccDEV library, which provides tools and libraries for interacting with, manipulating, and applying International Color Consortium (ICC) color management profiles. The flaw resides in the `CIccTagTextDescription` component and affects all versions of iccDEV prior to 2.3.1.2. Applications or systems that process untrusted ICC color profiles using this library are at risk, potentially leading to memory corruption issues classified under CWE-122 (Heap-based Buffer Overflow), CWE-125 (Out-of-bounds Read), and CWE-193 (Off-by-one Error).
The vulnerability has a CVSS v3.1 base score of 6.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H), indicating a local attack vector with low complexity, no privileges required, but user interaction needed. An attacker with local access could exploit it by tricking a user into processing a specially crafted ICC profile, resulting in a heap-based buffer overflow. Successful exploitation could achieve high availability impact through application crashes or denial of service, alongside limited confidentiality impact via potential information disclosure from out-of-bounds reads.
Mitigation is addressed in iccDEV version 2.3.1.2, which includes patches via specific GitHub commits (7c2cb719a9de1c00844e457e070d657314383ee3 and e91fe722ac54ce497d410153e7405090e0565d7b). The project's security advisory (GHSA-4pv4-4x2x-6j88) and issue tracker (#396) detail the fix, with no known workarounds available for affected versions. Security practitioners should advise upgrading to the patched release and validating ICC profiles from untrusted sources.
Details
- CWE(s)