CVE-2026-21500
Published: 07 January 2026
Summary
CVE-2026-21500 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Color Iccdev. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 12.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Alternate site allows resumption of operations if resource exhaustion at the primary site is exploited to cause unavailability.
Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.
Directly limits uncontrolled resource consumption that leads to denial-of-service.
Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.
Limiting concurrent sessions directly prevents uncontrolled resource consumption by capping the number of active sessions per user or account.
Analysis identifies uncontrolled resource consumption indicative of denial-of-service or abuse attempts.
Contingency plan testing includes resource exhaustion scenarios to verify recovery, making it harder for attackers to sustain exploits that cause uncontrolled consumption.
Updated contingency plans include current procedures to detect, contain, and recover from resource exhaustion, limiting an attacker's ability to sustain impact from uncontrolled consumption.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local crafted malicious file (ICC/XML) triggers stack overflow crash, mapping to user execution of malicious file and application exploitation for DoS.
NVD Description
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to stack overflow in the XML calculator macro expansion. This issue has…
more
been patched in version 2.3.1.2.
Deeper analysisAI
CVE-2026-21500 is a stack overflow vulnerability in the XML calculator macro expansion feature of iccDEV, a set of libraries and tools for interacting with, manipulating, and applying ICC color management profiles. The flaw affects iccDEV versions prior to 2.3.1.2 and has been assigned a CVSS v3.1 base score of 5.5 (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H). It is associated with CWEs including CWE-20 (Improper Input Validation), CWE-400 (Uncontrolled Resource Consumption), CWE-674 (Uncontrolled Recursion), CWE-1119 (Excessive Data Query Operations), and CWE-787 (Out-of-bounds Write).
A local attacker with no privileges can exploit this vulnerability with low complexity by tricking a user into processing a malicious input, such as a crafted ICC profile or XML data involving macro expansion. Successful exploitation leads to a stack overflow, resulting in denial of service through application crash or instability, with no impact on confidentiality or integrity.
The vulnerability has been patched in iccDEV version 2.3.1.2, as detailed in the project's GitHub security advisory (GHSA-4h4j-mm9w-2cp4), issue tracker (#384), pull request (#406), and related commits (cce5f9b68a6c067b7ef898ccd5b000770745fb14 and f295826a6f15add90490030f23b2ddd8593bff5b). Security practitioners should update to the fixed version and validate inputs in color management workflows to mitigate risks.
Details
- CWE(s)