CVE-2026-21491
Published: 06 January 2026
Summary
CVE-2026-21491 is a medium-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Color Iccdev. Its CVSS base score is 6.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 3.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-21491 is a unicode buffer overflow vulnerability in the iccDEV library, which provides tools and libraries for interacting with, manipulating, and applying International Color Consortium (ICC) color management profiles. The flaw resides in the `CIccTagTextDescription` component and affects all versions of iccDEV prior to 2.3.1.2. Applications or systems that process untrusted ICC color profiles using this library are at risk, potentially leading to memory corruption issues classified under CWE-122 (Heap-based Buffer Overflow), CWE-125 (Out-of-bounds Read), and CWE-193 (Off-by-one Error).
The vulnerability has a CVSS v3.1 base score of 6.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H), indicating a local attack vector with low complexity, no privileges required, but user interaction needed. An attacker with local access could exploit it by tricking a user into processing a specially crafted ICC profile, resulting in a heap-based buffer overflow. Successful exploitation could achieve high availability impact through application crashes or denial of service, alongside limited confidentiality impact via potential information disclosure from out-of-bounds reads.
Mitigation is addressed in iccDEV version 2.3.1.2, which includes patches via specific GitHub commits (7c2cb719a9de1c00844e457e070d657314383ee3 and e91fe722ac54ce497d410153e7405090e0565d7b). The project's security advisory (GHSA-4pv4-4x2x-6j88) and issue tracker (#396) detail the fix, with no known workarounds available for affected versions. Security practitioners should advise upgrading to the patched release and validating ICC profiles from untrusted sources.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1145
Vulnerability details
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. A vulnerability present in versions prior to 2.3.1.2 affects users of the iccDEV library who process…
more
ICC color profiles. It results in unicode buffer overflow in `CIccTagTextDescription`. Version 2.3.1.2 contains a patch. No known workarounds are available.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local file-processing buffer overflow enables malicious ICC profile delivery (T1204.002) and application DoS via heap corruption (T1499.004); limited C impact and absent I impact reduce RCE mappings.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the vendor patch in iccDEV 2.3.1.2 that eliminates the unicode buffer overflow in CIccTagTextDescription.
Mandates validation of ICC profile input fields to reject or sanitize malformed unicode text that triggers the heap overflow.
Requires memory-protection mechanisms that can block exploitation of the resulting heap-based buffer overflow even if input validation fails.