CVE-2026-21488 - Vulnerability Details

- iccDEV has Out-of-bounds Read, Heap-based Buffer Overflow and Improper Null Termination

Description

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below are vulnerable to Out-of-bounds Read, Heap-based Buffer Overflow and Improper Null Termination through its CIccTagText::Read function. This issue is fixed in version 2.3.1.2.

Published: 2026-01-06

Score: 6.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in iccDEV's CIccTagText::Read function, where an attacker can supply overly large or malformed text data that causes an out-of-bounds read, an improper null termination, and ultimately a heap-based buffer overflow. This memory corruption can allow an attacker to manipulate the execution flow of the process using iccDEV libraries, potentially leading to arbitrary code execution or denial of service. The weakness is typical of untrusted data handling failures, as documented by the referenced CWEs.

Affected Systems

Affected versions are all releases of International Color Consortium's iccDEV 2.3.1.1 and earlier. The fix was introduced in 2.3.1.2. All installations using the vulnerable libraries or tools should be evaluated for upgrade eligibility.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity, while the EPSS score of less than 1% suggests a very low probability of current exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require the presence of untrusted or malformed ICC profile data processed by the CIccTagText::Read routine, which is likely to be supplied from external sources such as client uploads or network inputs. Given the lack of publicly available exploits and the low EPSS, the immediate risk is moderate but should be mitigated promptly.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

InternationalColorConsortium

iccDEV

affected

Version	Status	Constraints
`< 2.3.1.2`	affected	—

Configuration 1 [-]

cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Internationalcolorconsortium	Iccdev	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade iccDEV to version 2.3.1.2 or later to eliminate the buffer overflow and read errors.
If an upgrade is not immediately possible, restrict the source of ICC profile data to trusted, validated files and avoid processing user-supplied profiles through CIccTagText::Read.
Implement application-level checks that verify the size and null termination of text tags before invoking the library, reducing the chance of triggering the overflow or information disclosure.

Generated by OpenCVE AI on April 18, 2026 at 08:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/InternationalColorConsortium/iccDEV/commit/9daaccceb231c43db8cab312ee5bbe9d2aa6b153
https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-4j2g-rvv4-86vg

History

Wed, 14 Jan 2026 19:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Color Color iccdev
CPEs		cpe:2.3:a:color:iccdev::::::::
Vendors & Products		Color Color iccdev

Wed, 07 Jan 2026 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Internationalcolorconsortium Internationalcolorconsortium iccdev
Vendors & Products		Internationalcolorconsortium Internationalcolorconsortium iccdev

Tue, 06 Jan 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 06 Jan 2026 14:00:00 +0000

Type	Values Removed	Values Added
Description		iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below are vulnerable to Out-of-bounds Read, Heap-based Buffer Overflow and Improper Null Termination through its CIccTagText::Read function. This issue is fixed in version 2.3.1.2.
Title		iccDEV has Out-of-bounds Read, Heap-based Buffer Overflow and Improper Null Termination
Weaknesses		CWE-122 CWE-125 CWE-170
References		https://github.com/InternationalColorConsortium/iccDEV/commit/9daaccceb231c43db8cab312ee5bbe9d2aa6b153 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-4j2g-rvv4-86vg
Metrics		cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H'}`

Subscriptions

Color Iccdev

Internationalcolorconsortium Iccdev

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-01-06T13:52:21.380Z

Updated: 2026-01-06T14:22:27.581Z

Reserved: 2025-12-29T14:34:16.006Z

Link: CVE-2026-21488

Vulnrichment

Updated: 2026-01-06T14:22:25.001Z

NVD

Status : Analyzed

Published: 2026-01-06T14:15:48.420

Modified: 2026-01-14T18:45:51.240

Link: CVE-2026-21488

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T08:15:15Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object