CVE-2026-21494
Published: 06 January 2026
Summary
CVE-2026-21494 is a medium-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Color Iccdev. Its CVSS base score is 6.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 1.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-21494 is a heap buffer overflow vulnerability in the iccDEV library, a set of libraries and tools for interacting with, manipulating, and applying International Color Consortium (ICC) color management profiles. The flaw, tied to CWE-122 (Heap-based Buffer Overflow), CWE-125 (Out-of-bounds Read), and CWE-193 (Off-by-one Error), occurs in the `CIccTagLut8::Validate()` function and affects all versions prior to 2.3.1.2. It impacts any applications or users of the iccDEV library that process untrusted ICC color profiles.
The vulnerability has a CVSS v3.1 base score of 6.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H), indicating exploitation requires local access, low complexity, no privileges, and user interaction. An attacker with local access can trick a user into processing a malicious ICC profile, triggering the buffer overflow. This can result in a denial of service through application crashes or memory corruption, with limited potential for low-impact confidentiality breaches via information disclosure.
Mitigation is available via an upgrade to iccDEV version 2.3.1.2, which includes patches documented in GitHub commits 7c2cb719a9de1c00844e457e070d657314383ee3 and e91fe722ac54ce497d410153e7405090e0565d7b. The project's security advisory (GHSA-hjxv-xr7w-84fc) and issue tracker (#398) provide further details, but no workarounds are known.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1146
Vulnerability details
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. A vulnerability present in versions prior to 2.3.1.2 affects users of the iccDEV library who process…
more
ICC color profiles. It results in heap buffer overflow in `CIccTagLut8::Validate()`. Version 2.3.1.2 contains a patch. No known workarounds are available.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local heap buffer overflow triggered by processing a malicious ICC profile file supplied by an attacker, directly mapping to user execution via a malicious file.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the vendor patch (v2.3.1.2) that eliminates the heap buffer overflow in CIccTagLut8::Validate().
Mandates robust validation of untrusted ICC profile input, which is the root cause of the off-by-one and out-of-bounds conditions.
Requires memory-protection mechanisms that can block exploitation of the heap buffer overflow and resulting memory corruption.