CVE-2026-21675

CriticalPublic PoC

Published: 06 January 2026

Published

06 January 2026

Modified

12 January 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0020 41.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below contain a Use After Free vulnerability in the CIccXform::Create() function, where it deletes the hint. This issue is fixed in version…

2.3.1.1.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates timely remediation of the Use After Free flaw in iccDEV by upgrading to version 2.3.1.1, eliminating the vulnerability.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Vulnerability scanning identifies systems using vulnerable iccDEV versions affected by CVE-2026-21675 during color profile processing.

SI-16 Memory Protection partial match

prevent

Implements memory protections like ASLR and DEP to hinder arbitrary code execution from the Use After Free memory corruption in iccDEV.

Security SummaryAI

CVE-2026-21675 is a Use After Free vulnerability (CWE-416, CWE-20) affecting iccDEV, a set of libraries and tools for working with ICC color management profiles. The flaw resides in the CIccXform::Create() function, where an object referred to as the "hint" is deleted, leading to potential memory corruption in affected versions 2.3.1 and earlier. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its high impact on confidentiality, integrity, and availability.

Remote attackers require no privileges or user interaction to exploit this issue over the network with low attack complexity. Successful exploitation could allow arbitrary code execution, data disclosure, or system compromise by triggering the Use After Free during color profile processing, potentially in applications or systems that parse untrusted ICC profiles.

Mitigation is available via an upgrade to iccDEV version 2.3.1.1, which addresses the issue as detailed in the project's GitHub security advisory (GHSA-wcwx-794g-g78f), related issues (#182), and the fixing commit (510baf58fa48e00ebbb5dd577f0db4af8876bb31). Security practitioners should audit dependencies on iccDEV and ensure parsing of untrusted ICC files is sandboxed or disabled where possible.

Details

CWE(s): CWE-20 CWE-416

Affected Products

color

iccdev

≤ 2.3.1.1

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability allows remote, unauthenticated arbitrary code execution with no user interaction via network exploitation of applications processing untrusted ICC profiles, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/InternationalColorConsortium/iccDEV/commit/510baf58fa48e00ebbb5dd577f0db4af8876bb31
Patch · security-advisories@github.com
https://github.com/InternationalColorConsortium/iccDEV/issues/182
Issue Tracking, Exploit, Vendor Advisory · security-advisories@github.com
https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-wcwx-794g-g78f
Patch, Vendor Advisory · security-advisories@github.com
https://github.com/InternationalColorConsortium/iccDEV/issues/182
Issue Tracking, Exploit, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0