CVE-2026-21504
Published: 07 January 2026
Summary
CVE-2026-21504 is a medium-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Color Iccdev. Its CVSS base score is 6.6 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 8.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct mapping to malicious file delivery requiring user interaction to trigger the buffer overflow in the ICC profile parser.
NVD Description
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to heap buffer overflow in the ToneMap parser. This issue has been…
more
patched in version 2.3.1.2.
Deeper analysisAI
CVE-2026-21504 is a heap buffer overflow vulnerability in the ToneMap parser of iccDEV, a set of libraries and tools for interacting with, manipulating, and applying ICC color management profiles. The flaw affects versions of iccDEV prior to 2.3.1.2 and is classified under CWE-122 (Heap-based Buffer Overflow), CWE-193 (Off-by-one Error), and CWE-787 (Out-of-bounds Write). It carries a CVSS v3.1 base score of 6.6 (AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H), indicating medium severity with primary impact on availability.
A local attacker can exploit this vulnerability by tricking a user into processing a malicious ICC profile file through iccDEV tools or libraries, requiring low attack complexity and no privileges. Successful exploitation could result in limited disclosure of sensitive information, limited modification of data, and high-impact denial of service via application crash or heap corruption, potentially leading to code execution in the context of the affected process.
Mitigation is available in iccDEV version 2.3.1.2, where the issue was addressed via patches detailed in GitHub commits 14fe3785e6b1f9992375b2a24617a0d7f6a70f95 and 23a38f83f2a5874a1c4427df59ec342af3277cad, associated with issue #366 and pull request #415. The fix modifies the ToneMap parsing logic in IccMpeBasic.cpp around line 4557. Security practitioners should update to the patched version and validate ICC profiles from untrusted sources.
Details
- CWE(s)