CVE-2026-21678
Published: 07 January 2026
Summary
CVE-2026-21678 is a high-severity Improper Input Validation (CWE-20) vulnerability in Color Iccdev. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 12.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation by applying the official patch in iccDEV version 2.3.1.2 to eliminate the heap-buffer-overflow vulnerability in IccTagXml().
Enforces validation of ICC profile inputs prior to processing by IccTagXml(), directly countering the improper input validation (CWE-20) that enables the buffer overflow.
Deploys memory protection safeguards like ASLR, DEP, and heap canaries to hinder arbitrary code execution from the heap-buffer-overflow in iccDEV.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability is a client-side buffer overflow in an ICC profile parser, directly enabling code execution via a malicious file opened by the user.
NVD Description
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to heap-buffer-overflow vulnerability in IccTagXml(). This issue has been patched in version…
more
2.3.1.2.
Deeper analysisAI
CVE-2026-21678 is a heap-buffer-overflow vulnerability in the IccTagXml() function of iccDEV, a set of libraries and tools for interacting with, manipulating, and applying ICC color management profiles. The flaw affects versions of iccDEV prior to 2.3.1.2 and has been assigned a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). It is associated with CWEs 20 (Improper Input Validation), 122 (Heap-based Buffer Overflow), 125 (Out-of-bounds Read), and 787 (Out-of-bounds Write).
A local attacker can exploit this vulnerability by tricking a user into processing a specially crafted ICC color profile file with an affected version of iccDEV. No privileges are required (PR:N), and the attack has low complexity (AC:L) but requires user interaction (UI:R), such as opening the malicious file in a compatible application. Successful exploitation enables high-impact consequences, including arbitrary code execution with the privileges of the user running the process, potentially leading to unauthorized data access, modification, or denial of service.
Mitigation is available via an official patch in iccDEV version 2.3.1.2, as detailed in the project's GitHub security advisory (GHSA-9rp2-4c6g-hppf), the fixing commit (c6c0f1cf45b48db94266132ccda5280a1a33569d), the related issue (#55), and pull request (#219). Security practitioners should advise users and downstream applications handling ICC profiles to update immediately and validate inputs to IccTagXml() where possible.
Details
- CWE(s)