CVE-2026-21680

MediumPublic PoC

Published: 07 January 2026

Published

07 January 2026

Modified

09 January 2026

KEV Added

—

Patch

—

CVSS Score 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

EPSS Score 0.0007 22.3th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21680 is a medium-severity NULL Pointer Dereference (CWE-476) vulnerability in Color Iccdev. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 22.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004) and 1 other technique.

Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

Why these techniques?

NULL deref in ICC profile parser enables crafted file delivery (T1204.002) leading to app crash DoS via vulnerability exploitation (T1499.004).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a NULL pointer dereference vulnerability. This vulnerability affects users of the…

iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.

Deeper analysisAI

CVE-2026-21680 is a NULL pointer dereference vulnerability (CWE-476) in the iccDEV library, a set of libraries and tools for interacting with, manipulating, and applying International Color Consortium (ICC) color management profiles. The flaw affects versions prior to 2.3.1.2 and impacts any users or applications that process ICC color profiles using this library.

An unauthenticated remote attacker can exploit this vulnerability over the network with low complexity by tricking a user into processing a specially crafted malicious ICC profile, which requires user interaction. Successful exploitation results in a denial-of-service condition due to application crash, with a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H), but no impact on confidentiality or integrity.

The project maintainers have addressed the issue in version 2.3.1.2 via a patch, with details available in GitHub issue #322, pull request #325, and security advisory GHSA-mgp7-w4w3-mhx4. No known workarounds exist for affected versions.

Details

CWE(s): CWE-476

Affected Products

color

iccdev

≤ 2.3.1.2

CVEs Like This One

CVE-2026-31792Same product: Color Iccdev

CVE-2026-21684Same product: Color Iccdev

CVE-2026-21491Same product: Color Iccdev

CVE-2026-21500Same product: Color Iccdev

CVE-2026-21681Same product: Color Iccdev

CVE-2026-21686Same product: Color Iccdev

CVE-2026-21685Same product: Color Iccdev

CVE-2026-25503Same product: Color Iccdev

CVE-2026-27692Same product: Color Iccdev

CVE-2026-24852Same product: Color Iccdev

References

https://github.com/InternationalColorConsortium/iccDEV/issues/322
Exploit, Issue Tracking · security-advisories@github.com
https://github.com/InternationalColorConsortium/iccDEV/pull/325
Issue Tracking · security-advisories@github.com
https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-mgp7-w4w3-mhx4
Third Party Advisory · security-advisories@github.com