CVE-2026-21485
Unknown Unknown - Not Provided
Undefined Behavior and OOM in iccDEV Libraries

Publication date: 2026-01-06

Last updated on: 2026-01-06

Assigner: GitHub, Inc.

Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below are prone to have Undefined Behavior (UB) and Out of Memory errors. This issue is fixed in version 2.3.1.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-06
Last Modified
2026-01-06
Generated
2026-06-16
AI Q&A
2026-01-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-21485
EUVD
EUVD-2026-1153
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
internationalcolorconsortium iccdev to 2.3.1.2 (exc)
internationalcolorconsortium iccdev 2.3.1.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
CWE-1284 The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties.
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-21485 is a vulnerability in the iccDEV library used for processing ICC color management profiles. It arises from improper handling of malformed ICC profile data, leading to undefined behavior, out-of-memory errors, and crashes. Specifically, the vulnerability involves multiple issues such as NULL pointer dereferences, out-of-bounds reads and writes, integer overflows, and improper input validation during the loading of ICC profile tags. These flaws can cause the software to behave unpredictably or crash when processing crafted ICC profiles, due to invalid or missing observer and illuminant data and corrupted metadata fields. [1, 2, 3]

Impact Analysis

This vulnerability can lead to denial of service by causing crashes or out-of-memory conditions when processing maliciously crafted ICC profiles. It can also impact confidentiality, integrity, and availability of systems using vulnerable versions of iccDEV, as an attacker can remotely exploit the flaw without privileges but requiring user interaction. The high severity (CVSS 8.8) indicates significant potential impact, including system instability and possible exploitation through crafted input over the network. [2, 3]

Detection Guidance

This vulnerability can be detected by testing the iccDEV library's handling of ICC profiles, specifically by using malformed or crafted ICC profile files that trigger the undefined behavior and out-of-memory errors. A proof-of-concept test case involves using the `iccDumpProfile` tool (version 2.3.1.1) to process a malformed ICC profile file such as `crash-oom.icc`, which can cause crashes or sanitizer errors. Running a command like `iccDumpProfile crash-oom.icc` can help detect if the vulnerable version is present and susceptible to the issue. [3]

Mitigation Strategies

The immediate mitigation step is to upgrade the iccDEV library to version 2.3.1.2 or later, where the vulnerability has been fixed by adding NULL pointer checks and proper initialization to prevent crashes and undefined behavior. Since no workarounds are provided, updating to the patched version is the recommended action to prevent exploitation. [2, 1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21485. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart