CVE-2026-21687 - Vulnerability Details

- iccDEV has Undefined Behavior in CIccTagCurve::CIccTagCurve()

Description

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have Undefined Behavior in `CIccTagCurve::CIccTagCurve()`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.

Published: 2026-01-07

Score: 7.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The iccDEV library contains a constructor that triggers undefined behavior when creating a curve tag. This flaw, classified as "Undefined Behavior" and "Improper Input Validation", can cause memory corruption. An attacker who controls the ICC profile data may manipulate the library to execute arbitrary code or crash the application. The vulnerability does not directly mandate denial of service but can be leveraged for exploitation given its high severity.

Affected Systems

International Color Consortium’s iccDEV library versions prior to 2.3.1.2 are vulnerable. Any software that incorporates this library to read or write ICC profiles from user-supplied data is affected. The patch was incorporated in version 2.3.1.2; newer releases are considered secure.

Risk and Exploitability

The CVSS score of 7.1 marks this issue as high impact, yet the EPSS score of less than 1% indicates exploitation is currently rare. The vulnerability is not listed in the KEV catalog. Attackers could exploit it by crafting malicious ICC profiles that are processed by applications using iccDEV, potentially leading to memory corruption, arbitrary code execution, or service disruption.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

InternationalColorConsortium

iccDEV

affected

Version	Status	Constraints
`< 2.3.1.2`	affected	—

Configuration 1 [-]

cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Internationalcolorconsortium	Iccdev	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade iccDEV to version 2.3.1.2 or newer to eliminate the undefined behavior.
Update any legacy code that loads ICC profiles so it uses the patched library and validates profile data before processing.
If upgrade is not immediately possible, enforce strict access controls to ensure only trusted data is parsed and sandbox the ICC parsing routine to limit potential damage.

Generated by OpenCVE AI on April 18, 2026 at 07:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00129.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/InternationalColorConsortium/iccDEV/issues/180
https://github.com/InternationalColorConsortium/iccDEV/pull/221
https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-prmm-g479-4fv7

History

Mon, 12 Jan 2026 18:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Color Color iccdev
CPEs		cpe:2.3:a:color:iccdev::::::::
Vendors & Products		Color Color iccdev

Thu, 08 Jan 2026 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Internationalcolorconsortium Internationalcolorconsortium iccdev
Vendors & Products		Internationalcolorconsortium Internationalcolorconsortium iccdev

Wed, 07 Jan 2026 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 07 Jan 2026 21:45:00 +0000

Type	Values Removed	Values Added
Description		iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have Undefined Behavior in `CIccTagCurve::CIccTagCurve()`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.
Title		iccDEV has Undefined Behavior in CIccTagCurve::CIccTagCurve()
Weaknesses		CWE-20 CWE-758
References		https://github.com/InternationalColorConsortium/iccDEV/issues/180 https://github.com/InternationalColorConsortium/iccDEV/pull/221 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-prmm-g479-4fv7
Metrics		cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H'}`

Subscriptions

Color Iccdev

Internationalcolorconsortium Iccdev

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-01-07T21:32:13.792Z

Updated: 2026-01-07T21:38:17.371Z

Reserved: 2026-01-02T18:45:27.396Z

Link: CVE-2026-21687

Vulnrichment

Updated: 2026-01-07T21:38:14.205Z

NVD

Status : Analyzed

Published: 2026-01-07T22:15:44.937

Modified: 2026-01-12T18:14:19.987

Link: CVE-2026-21687

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T08:00:05Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object