CVE-2026-21490
Unknown Unknown - Not Provided

Heap Buffer Overflow in iccDEV ICC Profile Processing

Vulnerability report for CVE-2026-21490, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-06

Last updated on: 2026-01-06

Assigner: GitHub, Inc.

Description

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. A vulnerability present in versions prior to 2.3.1.2 affects users of the iccDEV library who process ICC color profiles. It results in heap buffer overflow in `CIccTagLut16::Validate()`. Version 2.3.1.2 contains a patch. No known workarounds are available.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-06
Last Modified
2026-01-06
Generated
2026-07-06
AI Q&A
2026-01-06
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
international_color_consortium iccdev to 2.3.1.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
CWE-193 A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-21490 is a heap buffer overflow vulnerability in the iccDEV library, specifically in the CIccTagLut16::Validate() function that processes ICC color profiles. The issue arises from improper handling and validation of Look-Up Tables (LUTs) within ICC profiles, where input or output channel counts may not match the expected values from the profile's color space or Profile Connection Space (PCS). This mismatch leads to out-of-bounds memory reads and heap buffer overflow during validation. The vulnerability is triggered by local attackers with user interaction and affects all versions prior to 2.3.1.2. The fix involves improving validation logic to rely on channel counts from the LUT data itself rather than assumptions from profile headers, and enhancing buffer handling to prevent overruns. [2, 4, 3, 1]

Impact Analysis

This vulnerability can allow a local attacker with no privileges to cause a heap-based buffer overflow by exploiting the validation logic in the iccDEV library when processing malicious or malformed ICC color profiles. The impact includes potential crashes or denial of service (availability impact is high), and a low confidentiality impact. Since the vulnerability requires user interaction and local access, it could be exploited by tricking a user into processing a crafted ICC profile, leading to application instability or crashes. [2, 4]

Detection Guidance

This vulnerability can be detected by validating ICC profiles using tools that process ICC color profiles, such as iccDumpProfile. Specifically, running iccDumpProfile with verbose mode (e.g., `iccDumpProfile -v <profile>`) on ICC profiles can trigger AddressSanitizer (ASan) errors indicating heap buffer overflow issues related to this vulnerability. Fuzzed or malformed ICC profile files that contain Look-Up Tables (LUTs) with mismatched input/output curve counts relative to PCS and colorspace can be used to reproduce the issue and detect the vulnerability. [4]

Mitigation Strategies

The immediate mitigation step is to upgrade the iccDEV library to version 2.3.1.2 or later, where the vulnerability has been patched. There are no known workarounds available. The patch improves validation and handling of LUT tags and Unicode buffers to prevent heap buffer overflows and crashes during ICC profile validation. [2, 1]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21490. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart