Cyber Posture

CVE-2026-21494

Medium

Published: 06 January 2026

Published
06 January 2026
Modified
12 January 2026
KEV Added
Patch
CVSS Score 6.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
EPSS Score 0.0002 6.2th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21494 is a medium-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Color Iccdev. Its CVSS base score is 6.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 6.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Malicious File (T1204.002).
Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
attack.mitre.org →
Why these techniques?

Local heap buffer overflow triggered by processing a malicious ICC profile file supplied by an attacker, directly mapping to user execution via a malicious file.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. A vulnerability present in versions prior to 2.3.1.2 affects users of the iccDEV library who process…

more

ICC color profiles. It results in heap buffer overflow in `CIccTagLut8::Validate()`. Version 2.3.1.2 contains a patch. No known workarounds are available.

Deeper analysisAI

CVE-2026-21494 is a heap buffer overflow vulnerability in the iccDEV library, a set of libraries and tools for interacting with, manipulating, and applying International Color Consortium (ICC) color management profiles. The flaw, tied to CWE-122 (Heap-based Buffer Overflow), CWE-125 (Out-of-bounds Read), and CWE-193 (Off-by-one Error), occurs in the `CIccTagLut8::Validate()` function and affects all versions prior to 2.3.1.2. It impacts any applications or users of the iccDEV library that process untrusted ICC color profiles.

The vulnerability has a CVSS v3.1 base score of 6.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H), indicating exploitation requires local access, low complexity, no privileges, and user interaction. An attacker with local access can trick a user into processing a malicious ICC profile, triggering the buffer overflow. This can result in a denial of service through application crashes or memory corruption, with limited potential for low-impact confidentiality breaches via information disclosure.

Mitigation is available via an upgrade to iccDEV version 2.3.1.2, which includes patches documented in GitHub commits 7c2cb719a9de1c00844e457e070d657314383ee3 and e91fe722ac54ce497d410153e7405090e0565d7b. The project's security advisory (GHSA-hjxv-xr7w-84fc) and issue tracker (#398) provide further details, but no workarounds are known.

Details

CWE(s)
CWE-122CWE-125CWE-193

Affected Products

color
iccdev
≤ 2.3.1.2

CVEs Like This One

CVE-2026-21490Same product: Color Iccdev
CVE-2026-21491Same product: Color Iccdev
CVE-2026-21504Same product: Color Iccdev
CVE-2026-21488Same product: Color Iccdev
CVE-2026-21489Same product: Color Iccdev
CVE-2026-25583Same product: Color Iccdev
CVE-2026-21679Same product: Color Iccdev
CVE-2026-22255Same product: Color Iccdev
CVE-2026-24852Same product: Color Iccdev
CVE-2026-21687Same product: Color Iccdev

References