CVE-2026-21675
Published: 06 January 2026
Summary
CVE-2026-21675 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Color Iccdev. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-21675 is a Use After Free vulnerability (CWE-416, CWE-20) affecting iccDEV, a set of libraries and tools for working with ICC color management profiles. The flaw resides in the CIccXform::Create() function, where an object referred to as the "hint" is deleted, leading to potential memory corruption in affected versions 2.3.1 and earlier. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its high impact on confidentiality, integrity, and availability.
Remote attackers require no privileges or user interaction to exploit this issue over the network with low attack complexity. Successful exploitation could allow arbitrary code execution, data disclosure, or system compromise by triggering the Use After Free during color profile processing, potentially in applications or systems that parse untrusted ICC profiles.
Mitigation is available via an upgrade to iccDEV version 2.3.1.1, which addresses the issue as detailed in the project's GitHub security advisory (GHSA-wcwx-794g-g78f), related issues (#182), and the fixing commit (510baf58fa48e00ebbb5dd577f0db4af8876bb31). Security practitioners should audit dependencies on iccDEV and ensure parsing of untrusted ICC files is sandboxed or disabled where possible.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1150
Vulnerability details
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below contain a Use After Free vulnerability in the CIccXform::Create() function, where it deletes the hint. This issue is fixed in version…
more
2.3.1.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows remote, unauthenticated arbitrary code execution with no user interaction via network exploitation of applications processing untrusted ICC profiles, directly mapping to T1190: Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates timely remediation of the Use After Free flaw in iccDEV by upgrading to version 2.3.1.1, eliminating the vulnerability.
Vulnerability scanning identifies systems using vulnerable iccDEV versions affected by CVE-2026-21675 during color profile processing.
Implements memory protections like ASLR and DEP to hinder arbitrary code execution from the Use After Free memory corruption in iccDEV.