CVE-2026-21486
Unknown Unknown - Not Provided
Use After Free and Buffer Overflow in iccDEV CIccSparseMatrix

Publication date: 2026-01-06

Last updated on: 2026-01-06

Assigner: GitHub, Inc.

Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below contain Use After Free, Heap-based Buffer Overflow and Integer Overflow or Wraparound and Out-of-bounds Write vulnerabilities in its CIccSparseMatrix::CIccSparseMatrix function. This issue is fixed in version 2.3.1.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-06
Last Modified
2026-01-06
Generated
2026-06-16
AI Q&A
2026-01-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-21486
EUVD
EUVD-2026-1155
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
internationalcolorconsortium iccdev to 2.3.1.2 (exc)
internationalcolorconsortium iccdev 2.3.1.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can have a high impact on confidentiality, integrity, and availability. An attacker with local access and user interaction could exploit these memory safety issues to gain unauthorized access to sensitive data, modify or corrupt data, execute arbitrary code, or cause denial of service by crashing the application or system using the iccDEV library. [1]

Executive Summary

CVE-2026-21486 is a high-severity vulnerability in the iccDEV library versions 2.3.1.1 and below. It involves multiple critical memory safety issues in the CIccSparseMatrix::CIccSparseMatrix function, including Use After Free (reusing memory after it has been freed), Heap-based Buffer Overflow (overwriting adjacent heap memory), Integer Overflow or Wraparound (incorrect calculations causing improper memory allocations), and Out-of-bounds Write (writing beyond allocated buffer boundaries). These issues can cause unpredictable behavior, crashes, or enable attackers to execute arbitrary code or disrupt services. The vulnerability requires local access and user interaction but no privileges. It is fixed in version 2.3.1.2. [1]

Mitigation Strategies

Users should upgrade the iccDEV library to version 2.3.1.2 or later, as this version contains fixes for the Use After Free, Heap-based Buffer Overflow, Integer Overflow or Wraparound, and Out-of-bounds Write vulnerabilities. No workarounds are provided, so updating to the fixed version is the recommended immediate mitigation step. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21486. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart