CVE-2026-21485
Undefined Behavior and OOM in iccDEV Libraries
Publication date: 2026-01-06
Last updated on: 2026-01-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| internationalcolorconsortium | iccdev | to 2.3.1.2 (exc) |
| internationalcolorconsortium | iccdev | 2.3.1.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-1284 | The product receives input that is expected to specify a quantity (such as size or length), but it does not validate or incorrectly validates that the quantity has the required properties. |
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
| CWE-190 | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-21485 is a vulnerability in the iccDEV library used for processing ICC color management profiles. It arises from improper handling of malformed ICC profile data, leading to undefined behavior, out-of-memory errors, and crashes. Specifically, the vulnerability involves multiple issues such as NULL pointer dereferences, out-of-bounds reads and writes, integer overflows, and improper input validation during the loading of ICC profile tags. These flaws can cause the software to behave unpredictably or crash when processing crafted ICC profiles, due to invalid or missing observer and illuminant data and corrupted metadata fields. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can lead to denial of service by causing crashes or out-of-memory conditions when processing maliciously crafted ICC profiles. It can also impact confidentiality, integrity, and availability of systems using vulnerable versions of iccDEV, as an attacker can remotely exploit the flaw without privileges but requiring user interaction. The high severity (CVSS 8.8) indicates significant potential impact, including system instability and possible exploitation through crafted input over the network. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the iccDEV library's handling of ICC profiles, specifically by using malformed or crafted ICC profile files that trigger the undefined behavior and out-of-memory errors. A proof-of-concept test case involves using the `iccDumpProfile` tool (version 2.3.1.1) to process a malformed ICC profile file such as `crash-oom.icc`, which can cause crashes or sanitizer errors. Running a command like `iccDumpProfile crash-oom.icc` can help detect if the vulnerable version is present and susceptible to the issue. [3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the iccDEV library to version 2.3.1.2 or later, where the vulnerability has been fixed by adding NULL pointer checks and proper initialization to prevent crashes and undefined behavior. Since no workarounds are provided, updating to the patched version is the recommended action to prevent exploitation. [2, 1]