CVE-2026-21688

HighPublic PoC

Published: 07 January 2026

Published

07 January 2026

Modified

12 January 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0013 32.3th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `SIccCalcOp::ArgsPushed()` at `IccProfLib/IccMpeCalc.cpp`. This vulnerability affects…

users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates timely patching of known flaws, such as updating iccDEV to version 2.3.1.2 to remediate the type confusion vulnerability.

SI-10 Information Input Validation good match

prevent

Requires validation of inputs like ICC profiles to prevent exploitation via malformed data causing type confusion, addressing associated CWE-20.

SI-16 Memory Protection partial match

prevent

Implements memory protections such as address space layout randomization and non-executable stacks to mitigate exploitation of type confusion leading to code execution.

Security SummaryAI

CVE-2026-21688 is a Type Confusion vulnerability in the iccDEV library, located in the `SIccCalcOp::ArgsPushed()` function at `IccProfLib/IccMpeCalc.cpp`. The iccDEV library offers tools and libraries for interacting with, manipulating, and applying International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 are affected, impacting any users or applications that process ICC color profiles with the library. The vulnerability was published on 2026-01-07 and is associated with CWEs-20 (Improper Input Validation), CWE-190 (Integer Overflow or Wraparound), CWE-476 (NULL Pointer Dereference), and CWE-681 (Incorrect Conversion between Numeric Types).

Attackers can exploit this vulnerability remotely (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) but user interaction (UI:R), such as tricking a user into processing a malicious ICC profile. The unchanged scope (S:U) and high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) yield a CVSS v3.1 base score of 8.8, potentially enabling arbitrary code execution or system compromise on affected systems.

The issue is addressed in iccDEV version 2.3.1.2, which contains the patch. No known workarounds exist. Details are available in the GitHub security advisory at GHSA-3r2x-j7v3-pg6f, issue #379, and pull request #422 in the InternationalColorConsortium/iccDEV repository.

Details

CWE(s): CWE-20 CWE-190 CWE-476 CWE-681

Affected Products

color

iccdev

≤ 2.3.1.2

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Type confusion vulnerability in ICC color profile library enables arbitrary code execution via exploitation of client applications processing malicious ICC profiles, directly mapping to Exploitation for Client Execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/InternationalColorConsortium/iccDEV/issues/379
Issue Tracking, Exploit, Vendor Advisory · security-advisories@github.com
https://github.com/InternationalColorConsortium/iccDEV/pull/422
Issue Tracking, Patch · security-advisories@github.com
https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-3r2x-j7v3-pg6f
Vendor Advisory · security-advisories@github.com