CVE-2026-21684 - Vulnerability Details

- iccDEV has Undefined Behavior in CIccTagSpectralViewingConditions()

Description

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have Undefined Behavior in `CIccTagSpectralViewingConditions()`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.

Published: 2026-01-07

Score: 7.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

CVE‑2026‑21684 describes undefined behavior in the function CIccTagSpectralViewingConditions() within the iccDEV library. Undefined behavior can result in unpredictable memory handling, potentially allowing an attacker to corrupt data structures, crash the application, or execute arbitrary code if the library is used to process malicious input.

Affected Systems

The affected product is InternationalColorConsortium iccDEV. All versions prior to 2.3.1.2 are vulnerable. Users who process ICC color profiles through this library are at risk.

Risk and Exploitability

The CVSS score of 7.1 indicates moderate to high severity, while the EPSS score of less than 1% suggests a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. The most likely attack vector is the processing of untrusted ICC profiles, such as those received from external stakeholders or embedded in client files. Exploitation requires the attacker to supply a specifically crafted ICC profile that triggers the undefined behavior, which may lead to memory corruption or code execution if the application is not secured.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

InternationalColorConsortium

iccDEV

affected

Version	Status	Constraints
`< 2.3.1.2`	affected	—

Configuration 1 [-]

cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Internationalcolorconsortium	Iccdev	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade iccDEV to version 2.3.1.2 or newer to apply the patch that eliminates the undefined behavior.
Restrict the use of ICC profiles to sources that are trusted or have been validated, preventing unverified profiles from being processed by the library.
Implement runtime validation for ICC profile headers and ranges before passing them to CIccTagSpectralViewingConditions() to mitigate the risk of the undefined behavior impacting execution.

Generated by OpenCVE AI on April 18, 2026 at 07:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00129.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/InternationalColorConsortium/iccDEV/issues/216
https://github.com/InternationalColorConsortium/iccDEV/pull/225
https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-fg9m-j9x8-8279

History

Mon, 12 Jan 2026 18:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Color Color iccdev
CPEs		cpe:2.3:a:color:iccdev::::::::
Vendors & Products		Color Color iccdev

Thu, 08 Jan 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Internationalcolorconsortium Internationalcolorconsortium iccdev
Vendors & Products		Internationalcolorconsortium Internationalcolorconsortium iccdev

Wed, 07 Jan 2026 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 07 Jan 2026 21:30:00 +0000

Type	Values Removed	Values Added
Description		iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have Undefined Behavior in `CIccTagSpectralViewingConditions()`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.
Title		iccDEV has Undefined Behavior in CIccTagSpectralViewingConditions()
Weaknesses		CWE-20 CWE-758
References		https://github.com/InternationalColorConsortium/iccDEV/issues/216 https://github.com/InternationalColorConsortium/iccDEV/pull/225 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-fg9m-j9x8-8279
Metrics		cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H'}`

Subscriptions

Color Iccdev

Internationalcolorconsortium Iccdev

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-01-07T21:18:31.527Z

Updated: 2026-01-07T21:35:37.015Z

Reserved: 2026-01-02T18:45:27.396Z

Link: CVE-2026-21684

Vulnrichment

Updated: 2026-01-07T21:35:33.116Z

NVD

Status : Analyzed

Published: 2026-01-07T22:15:44.480

Modified: 2026-01-12T18:05:19.040

Link: CVE-2026-21684

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T08:00:05Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact High

User Interaction Required

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object