Cyber Resilience

CVE-2026-21693

HighPublic PoC

Published: 07 January 2026

Published
07 January 2026
Modified
12 January 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0031 22.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-21693 is a high-severity Improper Input Validation (CWE-20) vulnerability in Color Iccdev. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 22.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-21693 is a Type Confusion vulnerability in the iccDEV library, located in the `CIccSegmentedCurveXml::ToXml()` function at `IccXML/IccLibXML/IccMpeXml.cpp`. This issue affects versions of iccDEV prior to 2.3.1.2. iccDEV provides libraries and tools for interacting with, manipulating, and applying International Color Consortium (ICC) color management profiles, impacting any users or applications that process ICC color profiles using the library.

The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating it is exploitable remotely over the network with low attack complexity and no privileges required, though user interaction is necessary. An unauthenticated attacker could trick a user into processing a specially crafted ICC profile, potentially leading to high-impact confidentiality, integrity, and availability violations such as arbitrary code execution or memory corruption. It is associated with CWEs-20 (Improper Input Validation), CWE-681 (Incorrect Conversion between Numeric Types), CWE-754 (Improper Check for Unusual or Exceptional Conditions), and CWE-843 (Type Confusion).

Mitigation is available via an update to iccDEV version 2.3.1.2, which contains a patch for the vulnerability. No known workarounds exist. Details are provided in the project's GitHub security advisory (GHSA-v3q7-7hw6-6jq8), issue tracker (#389), and pull request (#432).

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `CIccSegmentedCurveXml::ToXml()` at `IccXML/IccLibXML/IccMpeXml.cpp`. This vulnerability affects…

more

users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Type confusion in iccDEV library enables arbitrary code execution via crafted ICC profiles processed by client applications, directly facilitating T1203: Exploitation for Client Execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-21692Same product: Color Iccdev
CVE-2026-21688Same product: Color Iccdev
CVE-2026-24407Same product: Color Iccdev
CVE-2026-21682Same product: Color Iccdev
CVE-2026-24403Same product: Color Iccdev
CVE-2026-21677Same product: Color Iccdev
CVE-2026-24406Same product: Color Iccdev
CVE-2026-24412Same product: Color Iccdev
CVE-2026-24410Same product: Color Iccdev
CVE-2026-22047Same product: Color Iccdev

Affected Assets

color
iccdev
≤ 2.3.1.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely identification, reporting, and correction of flaws such as this type confusion vulnerability via the available patch to iccDEV version 2.3.1.2.

prevent

Requires validation of inputs like crafted ICC profiles to address the improper input validation (CWE-20) contributing to the type confusion.

prevent

Provides memory protections that mitigate exploitation of type confusion leading to memory corruption and arbitrary code execution.

References