Cyber Resilience

CVE-2026-21494

Medium

Published: 06 January 2026

Published
06 January 2026
Modified
12 January 2026
KEV Added
Patch
CVSS Score v3.1 6.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
EPSS Score 0.0001 1.7th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21494 is a medium-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Color Iccdev. Its CVSS base score is 6.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 1.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-21494 is a heap buffer overflow vulnerability in the iccDEV library, a set of libraries and tools for interacting with, manipulating, and applying International Color Consortium (ICC) color management profiles. The flaw, tied to CWE-122 (Heap-based Buffer Overflow), CWE-125 (Out-of-bounds Read), and CWE-193 (Off-by-one Error), occurs in the `CIccTagLut8::Validate()` function and affects all versions prior to 2.3.1.2. It impacts any applications or users of the iccDEV library that process untrusted ICC color profiles.

The vulnerability has a CVSS v3.1 base score of 6.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H), indicating exploitation requires local access, low complexity, no privileges, and user interaction. An attacker with local access can trick a user into processing a malicious ICC profile, triggering the buffer overflow. This can result in a denial of service through application crashes or memory corruption, with limited potential for low-impact confidentiality breaches via information disclosure.

Mitigation is available via an upgrade to iccDEV version 2.3.1.2, which includes patches documented in GitHub commits 7c2cb719a9de1c00844e457e070d657314383ee3 and e91fe722ac54ce497d410153e7405090e0565d7b. The project's security advisory (GHSA-hjxv-xr7w-84fc) and issue tracker (#398) provide further details, but no workarounds are known.

EU & UK References

Vulnerability details

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. A vulnerability present in versions prior to 2.3.1.2 affects users of the iccDEV library who process…

more

ICC color profiles. It results in heap buffer overflow in `CIccTagLut8::Validate()`. Version 2.3.1.2 contains a patch. No known workarounds are available.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

Local heap buffer overflow triggered by processing a malicious ICC profile file supplied by an attacker, directly mapping to user execution via a malicious file.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-21490Same product: Color Iccdev
CVE-2026-21491Same product: Color Iccdev
CVE-2026-21488Same product: Color Iccdev
CVE-2026-21504Same product: Color Iccdev
CVE-2026-21489Same product: Color Iccdev
CVE-2026-25583Same product: Color Iccdev
CVE-2026-21501Same product: Color Iccdev
CVE-2026-22255Same product: Color Iccdev
CVE-2026-21679Same product: Color Iccdev
CVE-2026-21687Same product: Color Iccdev

Affected Assets

color
iccdev
≤ 2.3.1.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the vendor patch (v2.3.1.2) that eliminates the heap buffer overflow in CIccTagLut8::Validate().

prevent

Mandates robust validation of untrusted ICC profile input, which is the root cause of the off-by-one and out-of-bounds conditions.

prevent

Requires memory-protection mechanisms that can block exploitation of the heap buffer overflow and resulting memory corruption.

References