CVE-2026-21693

HighPublic PoC

Published: 07 January 2026

Published

07 January 2026

Modified

12 January 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0013 31.6th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `CIccSegmentedCurveXml::ToXml()` at `IccXML/IccLibXML/IccMpeXml.cpp`. This vulnerability affects…

users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates timely identification, reporting, and correction of flaws such as this type confusion vulnerability via the available patch to iccDEV version 2.3.1.2.

SI-10 Information Input Validation partial match

prevent

Requires validation of inputs like crafted ICC profiles to address the improper input validation (CWE-20) contributing to the type confusion.

SI-16 Memory Protection partial match

prevent

Provides memory protections that mitigate exploitation of type confusion leading to memory corruption and arbitrary code execution.

Security SummaryAI

CVE-2026-21693 is a Type Confusion vulnerability in the iccDEV library, located in the `CIccSegmentedCurveXml::ToXml()` function at `IccXML/IccLibXML/IccMpeXml.cpp`. This issue affects versions of iccDEV prior to 2.3.1.2. iccDEV provides libraries and tools for interacting with, manipulating, and applying International Color Consortium (ICC) color management profiles, impacting any users or applications that process ICC color profiles using the library.

The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating it is exploitable remotely over the network with low attack complexity and no privileges required, though user interaction is necessary. An unauthenticated attacker could trick a user into processing a specially crafted ICC profile, potentially leading to high-impact confidentiality, integrity, and availability violations such as arbitrary code execution or memory corruption. It is associated with CWEs-20 (Improper Input Validation), CWE-681 (Incorrect Conversion between Numeric Types), CWE-754 (Improper Check for Unusual or Exceptional Conditions), and CWE-843 (Type Confusion).

Mitigation is available via an update to iccDEV version 2.3.1.2, which contains a patch for the vulnerability. No known workarounds exist. Details are provided in the project's GitHub security advisory (GHSA-v3q7-7hw6-6jq8), issue tracker (#389), and pull request (#432).

Details

CWE(s): CWE-20 CWE-681 CWE-754 CWE-843

Affected Products

color

iccdev

≤ 2.3.1.2

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Type confusion in iccDEV library enables arbitrary code execution via crafted ICC profiles processed by client applications, directly facilitating T1203: Exploitation for Client Execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/InternationalColorConsortium/iccDEV/issues/389
Issue Tracking, Exploit, Vendor Advisory · security-advisories@github.com
https://github.com/InternationalColorConsortium/iccDEV/pull/432
Issue Tracking, Patch · security-advisories@github.com
https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-v3q7-7hw6-6jq8
Vendor Advisory · security-advisories@github.com