CVE-2026-21485

HighPublic PoC

Published: 06 January 2026

Published

06 January 2026

Modified

14 January 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0019 40.4th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below are prone to have Undefined Behavior (UB) and Out of Memory errors. This issue is fixed in version 2.3.1.2.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely remediation of flaws like those in iccDEV versions <=2.3.1.1, directly preventing exploitation by applying the patch to version 2.3.1.2.

SI-10 Information Input Validation good match

prevent

SI-10 enforces input validation for ICC profiles, directly mitigating CWE-20 improper input validation that triggers undefined behavior and memory errors in iccDEV.

SI-16 Memory Protection partial match

prevent

SI-16 provides memory protections such as address space layout randomization and data execution prevention to mitigate exploitation of out-of-bounds reads/writes and overflows in iccDEV.

Security SummaryAI

CVE-2026-21485 is a vulnerability in iccDEV, a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below are affected by Undefined Behavior and Out of Memory errors, as described in the CVE details published on 2026-01-06. The issue is associated with multiple CWEs including CWE-20 (Improper Input Validation), CWE-125 (Out-of-bounds Read), CWE-190 (Integer Overflow or Wraparound), CWE-400 (Uncontrolled Resource Consumption), CWE-476 (NULL Pointer Dereference), CWE-787 (Out-of-bounds Write), and CWE-1284 (Wrap-around Error), and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

The vulnerability can be exploited by a remote attacker requiring low attack complexity, no privileges, and user interaction, such as processing a malicious ICC profile. Successful exploitation enables high impacts on confidentiality, integrity, and availability, potentially leading to arbitrary code execution, denial of service, or data corruption depending on the triggered undefined behavior or memory errors.

Mitigation is available in iccDEV version 2.3.1.2, which addresses the Undefined Behavior and Out of Memory issues. Security advisories, including GHSA-chp2-4gv5-2432 on GitHub, along with issue #340 and the fixing commit c136aac51d25cbb4d9db63f071edad4f088843df, provide details on the patch and recommend updating to the fixed version.

Details

CWE(s): CWE-20 CWE-125 CWE-190 CWE-400 CWE-476 CWE-787 CWE-1284

Affected Products

color

iccdev

≤ 2.3.1.2

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Vulnerability enables arbitrary code execution via exploitation of client-side ICC profile processing in libraries/tools, directly mapping to Exploitation for Client Execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/InternationalColorConsortium/iccDEV/commit/c136aac51d25cbb4d9db63f071edad4f088843df
Patch · security-advisories@github.com
https://github.com/InternationalColorConsortium/iccDEV/issues/340
Exploit, Issue Tracking, Vendor Advisory · security-advisories@github.com
https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-chp2-4gv5-2432
Vendor Advisory · security-advisories@github.com
https://github.com/InternationalColorConsortium/iccDEV/issues/340
Exploit, Issue Tracking, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0