CVE-2026-21486
Use After Free and Buffer Overflow in iccDEV CIccSparseMatrix
Publication date: 2026-01-06
Last updated on: 2026-01-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| internationalcolorconsortium | iccdev | to 2.3.1.2 (exc) |
| internationalcolorconsortium | iccdev | 2.3.1.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
| CWE-190 | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can have a high impact on confidentiality, integrity, and availability. An attacker with local access and user interaction could exploit these memory safety issues to gain unauthorized access to sensitive data, modify or corrupt data, execute arbitrary code, or cause denial of service by crashing the application or system using the iccDEV library. [1]
Can you explain this vulnerability to me?
CVE-2026-21486 is a high-severity vulnerability in the iccDEV library versions 2.3.1.1 and below. It involves multiple critical memory safety issues in the CIccSparseMatrix::CIccSparseMatrix function, including Use After Free (reusing memory after it has been freed), Heap-based Buffer Overflow (overwriting adjacent heap memory), Integer Overflow or Wraparound (incorrect calculations causing improper memory allocations), and Out-of-bounds Write (writing beyond allocated buffer boundaries). These issues can cause unpredictable behavior, crashes, or enable attackers to execute arbitrary code or disrupt services. The vulnerability requires local access and user interaction but no privileges. It is fixed in version 2.3.1.2. [1]
What immediate steps should I take to mitigate this vulnerability?
Users should upgrade the iccDEV library to version 2.3.1.2 or later, as this version contains fixes for the Use After Free, Heap-based Buffer Overflow, Integer Overflow or Wraparound, and Out-of-bounds Write vulnerabilities. No workarounds are provided, so updating to the fixed version is the recommended immediate mitigation step. [1]