CVE-2026-21491
Unicode Buffer Overflow in iccDEV CIccTagTextDescription Component
Publication date: 2026-01-06
Last updated on: 2026-01-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| international_color_consortium | iccdev | to 2.3.1.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-193 | A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value. |
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-21491 is a moderate severity vulnerability in the iccDEV library affecting versions prior to 2.3.1.2. It is a Unicode buffer overflow in the CIccTagTextDescription component that processes ICC color profiles. The vulnerability arises from improper handling of Unicode text data, causing a heap-based buffer overflow, out-of-bounds reads, and off-by-one errors. Specifically, the code reads beyond the allocated memory boundary when processing short Unicode strings, leading to unsafe memory access. This flaw can cause crashes or other security risks. The issue was fixed in version 2.3.1.2. [1, 2]
How can this vulnerability impact me? :
This vulnerability can be exploited by an attacker with local access and no privileges, requiring user interaction. Exploitation can lead to denial of service by causing crashes or impacting the availability of applications using the iccDEV library. The confidentiality impact is low, there is no integrity impact, but the availability impact is high, meaning the system or application could become unavailable or unstable due to this flaw. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by analyzing the processing of ICC color profiles with the iccDEV library, specifically looking for heap-buffer-overflow issues in the CIccTagTextDescription component. Using AddressSanitizer (ASan) during testing can help detect the buffer overflow, as it reports read overflows when processing malformed or fuzzed ICC profile files. There are no specific network detection commands provided, but running fuzz tests or memory error detection tools like ASan on the iccDEV library while processing ICC profiles can reveal the vulnerability. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade the iccDEV library to version 2.3.1.2 or later, which contains the patch fixing the Unicode buffer overflow in CIccTagTextDescription. No known workarounds are available, so applying the official patch or updating to the fixed version is necessary to prevent exploitation. [1]