Cyber Resilience

CVE-2026-21682

HighPublic PoC

Published: 07 January 2026

Published
07 January 2026
Modified
14 January 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0030 21.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-21682 is a high-severity Improper Input Validation (CWE-20) vulnerability in Color Iccdev. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 21.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-21682 is a heap-buffer-overflow vulnerability in the `CIccXmlArrayType::ParseText()` function within the iccDEV library, a set of libraries and tools for interacting with, manipulating, and applying International Color Consortium (ICC) color management profiles. The flaw affects versions of iccDEV prior to 2.3.1.2 and impacts users or applications that process ICC color profiles using the library. It is classified under CWE-20 (Improper Input Validation) and CWE-122 (Heap-based Buffer Overflow), with a CVSS v3.1 base score of 8.8.

Attackers can exploit this vulnerability remotely over the network with low complexity and no required privileges, but it requires user interaction, such as tricking a victim into processing a malicious ICC profile. Successful exploitation could result in high-impact confidentiality, integrity, and availability violations, potentially allowing arbitrary code execution, data corruption, or denial of service on the affected system.

The official mitigation is to upgrade to iccDEV version 2.3.1.2, which includes a patch for the vulnerability. No known workarounds are available. Relevant advisories and fixes are detailed in the project's GitHub security advisory (GHSA-jq9m-54gr-c56c), issue tracker (#178), and pull request (#229).

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a heap-buffer-overflow in `CIccXmlArrayType::ParseText()`. This vulnerability affects users of the iccDEV…

more

library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Heap buffer overflow enables arbitrary code execution via exploitation of client applications processing malicious ICC profiles, directly mapping to T1203 (Exploitation for Client Execution).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24406Same product: Color Iccdev
CVE-2026-24412Same product: Color Iccdev
CVE-2026-24405Same product: Color Iccdev
CVE-2026-24407Same product: Color Iccdev
CVE-2026-24403Same product: Color Iccdev
CVE-2026-21677Same product: Color Iccdev
CVE-2026-21693Same product: Color Iccdev
CVE-2026-24410Same product: Color Iccdev
CVE-2026-21486Same product: Color Iccdev
CVE-2026-21692Same product: Color Iccdev

Affected Assets

color
iccdev
≤ 2.3.1.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely flaw remediation through patching to iccDEV 2.3.1.2, eliminating the heap-buffer-overflow vulnerability.

prevent

Requires validation of inputs to ICC profiles processed by CIccXmlArrayType::ParseText(), addressing the core CWE-20 improper input validation causing the buffer overflow.

prevent

Implements memory protections such as heap isolation, randomization, and non-executable regions to mitigate exploitation of the heap-buffer-overflow.

References