CVE-2026-21488
Heap-Based Buffer Overflow in iccDEV CIccTagText::Read Function
Publication date: 2026-01-06
Last updated on: 2026-01-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| internationalcolorconsortium | iccdev | to 2.3.1.2 (exc) |
| internationalcolorconsortium | iccdev | 2.3.1.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
| CWE-170 | The product does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-21488 is a vulnerability in the iccDEV library versions 2.3.1.1 and below, involving three main issues: a heap-based buffer overflow, an out-of-bounds read, and improper null termination. These occur in the CIccTagText::Read function when processing ICC color profiles. The heap-based buffer overflow happens due to improper handling of dynamically allocated memory buffers, allowing data to overwrite adjacent heap memory. The out-of-bounds read involves reading beyond allocated buffer boundaries, potentially causing information disclosure or crashes. Improper null termination means strings or arrays are not correctly terminated, which can lead to buffer overflows or data corruption. This vulnerability requires local access with user interaction and low attack complexity. [1]
How can this vulnerability impact me? :
This vulnerability can lead to memory corruption and application instability when processing ICC color profiles. Specifically, it can cause denial of service or application crashes (high availability impact), with a low impact on confidentiality and no impact on integrity. An attacker with local access and user interaction could exploit these issues to disrupt the normal operation of applications using the vulnerable iccDEV versions. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects versions of the iccDEV library prior to 2.3.1.2 when processing ICC color profiles. Detection involves identifying if your system uses iccDEV version 2.3.1.1 or below. You can check the installed version of iccDEV by running commands like `iccdev --version` or inspecting the package manager for the installed version. Additionally, monitoring application logs for crashes or instability related to ICC profile processing may indicate exploitation attempts. There are no specific network detection commands provided. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the iccDEV library to version 2.3.1.2 or later, which contains the fix for this vulnerability. This update addresses the heap-based buffer overflow, out-of-bounds read, and improper null termination issues. No workarounds are provided, so applying the patch is essential to prevent potential denial of service or application crashes. [1, 2]