CVE-2026-21500
Published: 07 January 2026
Summary
CVE-2026-21500 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Color Iccdev. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 5.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-21500 is a stack overflow vulnerability in the XML calculator macro expansion feature of iccDEV, a set of libraries and tools for interacting with, manipulating, and applying ICC color management profiles. The flaw affects iccDEV versions prior to 2.3.1.2 and has been assigned a CVSS v3.1 base score of 5.5 (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H). It is associated with CWEs including CWE-20 (Improper Input Validation), CWE-400 (Uncontrolled Resource Consumption), CWE-674 (Uncontrolled Recursion), CWE-1119 (Excessive Data Query Operations), and CWE-787 (Out-of-bounds Write).
A local attacker with no privileges can exploit this vulnerability with low complexity by tricking a user into processing a malicious input, such as a crafted ICC profile or XML data involving macro expansion. Successful exploitation leads to a stack overflow, resulting in denial of service through application crash or instability, with no impact on confidentiality or integrity.
The vulnerability has been patched in iccDEV version 2.3.1.2, as detailed in the project's GitHub security advisory (GHSA-4h4j-mm9w-2cp4), issue tracker (#384), pull request (#406), and related commits (cce5f9b68a6c067b7ef898ccd5b000770745fb14 and f295826a6f15add90490030f23b2ddd8593bff5b). Security practitioners should update to the fixed version and validate inputs in color management workflows to mitigate risks.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1406
Vulnerability details
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to stack overflow in the XML calculator macro expansion. This issue has…
more
been patched in version 2.3.1.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local crafted malicious file (ICC/XML) triggers stack overflow crash, mapping to user execution of malicious file and application exploitation for DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces validation of XML macro-expansion input in ICC profiles, blocking the malformed data that triggers the stack overflow.
Requires timely application of the vendor patch (v2.3.1.2) that eliminates the uncontrolled recursion and out-of-bounds write in macro expansion.
Provides memory-protection mechanisms that can contain or mitigate the effects of the stack overflow resulting from the CWE-787 write.