Cyber Resilience

CVE-2026-21501

MediumPublic PoC

Published: 07 January 2026

Published
07 January 2026
Modified
09 January 2026
KEV Added
Patch
CVSS Score v3.1 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
EPSS Score 0.0002 6.6th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21501 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Color Iccdev. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 6.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-21501 is a stack overflow vulnerability in the calculator parser of iccDEV, a set of libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions of iccDEV prior to 2.3.1.2 are affected, with the flaw linked to CWE-20 (Improper Input Validation) and CWE-787 (Out-of-bounds Write). The vulnerability was published on 2026-01-07 and carries a CVSS v3.1 base score of 5.5 (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H), indicating medium severity primarily due to its potential for availability disruption.

A local attacker with no privileges can exploit this vulnerability by tricking a user into processing a specially crafted ICC profile that triggers the stack overflow in the calculator parser. User interaction is required, such as opening or applying a malicious profile through iccDEV tools or dependent applications. Successful exploitation results in a denial-of-service condition, causing application crashes or instability, but does not allow confidentiality or integrity impacts.

The issue has been addressed in iccDEV version 2.3.1.2, as detailed in GitHub commits (e.g., 798be59011649a26a529600cc3cd56437634d3d0 and f3056ed99935d479091470127ad16f8be1912bb7), issue #365, and pull request #413. Security practitioners should recommend updating to the patched version and review the specific fix in IccProfLib/IccMpeCalc.cpp around line 4588 for integration guidance.

EU & UK References

Vulnerability details

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to stack overflow in the calculator parser. This issue has been patched…

more

in version 2.3.1.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

Crafted ICC profile file requires user interaction to trigger stack overflow/DoS in local parser.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-21679Same product: Color Iccdev
CVE-2026-21687Same product: Color Iccdev
CVE-2026-22255Same product: Color Iccdev
CVE-2026-25583Same product: Color Iccdev
CVE-2026-21504Same product: Color Iccdev
CVE-2026-21488Same product: Color Iccdev
CVE-2026-21681Same product: Color Iccdev
CVE-2026-21490Same product: Color Iccdev
CVE-2026-21489Same product: Color Iccdev
CVE-2026-21494Same product: Color Iccdev

Affected Assets

color
iccdev
≤ 2.3.1.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all input (ICC profiles) to the calculator parser, blocking the malformed data that triggers the stack overflow.

prevent

Mandates timely application of the vendor patch (v2.3.1.2) that corrects the out-of-bounds write in IccMpeCalc.cpp.

prevent

Requires memory-protection mechanisms that can contain or mitigate stack overflows before they produce a DoS crash.

References