CVE-2026-21490
Heap Buffer Overflow in iccDEV ICC Profile Processing
Publication date: 2026-01-06
Last updated on: 2026-01-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| international_color_consortium | iccdev | to 2.3.1.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
| CWE-193 | A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-21490 is a heap buffer overflow vulnerability in the iccDEV library, specifically in the CIccTagLut16::Validate() function that processes ICC color profiles. The issue arises from improper handling and validation of Look-Up Tables (LUTs) within ICC profiles, where input or output channel counts may not match the expected values from the profile's color space or Profile Connection Space (PCS). This mismatch leads to out-of-bounds memory reads and heap buffer overflow during validation. The vulnerability is triggered by local attackers with user interaction and affects all versions prior to 2.3.1.2. The fix involves improving validation logic to rely on channel counts from the LUT data itself rather than assumptions from profile headers, and enhancing buffer handling to prevent overruns. [2, 4, 3, 1]
How can this vulnerability impact me? :
This vulnerability can allow a local attacker with no privileges to cause a heap-based buffer overflow by exploiting the validation logic in the iccDEV library when processing malicious or malformed ICC color profiles. The impact includes potential crashes or denial of service (availability impact is high), and a low confidentiality impact. Since the vulnerability requires user interaction and local access, it could be exploited by tricking a user into processing a crafted ICC profile, leading to application instability or crashes. [2, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by validating ICC profiles using tools that process ICC color profiles, such as iccDumpProfile. Specifically, running iccDumpProfile with verbose mode (e.g., `iccDumpProfile -v <profile>`) on ICC profiles can trigger AddressSanitizer (ASan) errors indicating heap buffer overflow issues related to this vulnerability. Fuzzed or malformed ICC profile files that contain Look-Up Tables (LUTs) with mismatched input/output curve counts relative to PCS and colorspace can be used to reproduce the issue and detect the vulnerability. [4]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the iccDEV library to version 2.3.1.2 or later, where the vulnerability has been patched. There are no known workarounds available. The patch improves validation and handling of LUT tags and Unicode buffers to prevent heap buffer overflows and crashes during ICC profile validation. [2, 1]