CVE-2026-21493
Type Confusion in iccDEV XML Curve Serialization Allows Exploitation
Publication date: 2026-01-06
Last updated on: 2026-01-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| international_color_consortium | iccdev | to 2.3.1.2 (exc) |
| international_color_consortium | iccdev | 2.3.1.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-703 | The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product. |
| CWE-188 | The product makes invalid assumptions about how protocol data or memory is organized at a lower level, resulting in unintended program behavior. |
| CWE-843 | The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a type confusion issue in the iccDEV library's XML curve serialization, specifically in the CIccSingleSampledeCurveXml class. It occurs when an object pointer is incorrectly cast to an unrelated class, causing undefined behavior and runtime errors during ICC profile XML parsing. This flaw arises from improper handling of data types and assumptions about memory layout, leading to potential crashes or incorrect processing of ICC color profiles. [2, 3]
How can this vulnerability impact me? :
The vulnerability can cause crashes or undefined behavior in applications using vulnerable versions of iccDEV when processing ICC color profiles, potentially leading to denial of service or application instability. Exploitation requires local access and user interaction but no special privileges. The impact includes low confidentiality and integrity loss but high availability impact due to possible application crashes. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for runtime errors or crashes related to the iccDEV library when processing ICC profile XML files, especially those involving SingleSampledCurve XML nodes. Specifically, UndefinedBehaviorSanitizer runtime errors indicating invalid pointer casts in the function CIccSinglSampledeCurveXml are a sign of this issue. Testing can be done by converting ICC profile files to XML using the iccToXml tool and observing for errors or crashes. There are no specific network detection commands provided. On systems where the iccDEV library is used, running the iccToXml tool on ICC profiles and checking logs for errors related to type confusion or crashes can help detect the vulnerability. [3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the iccDEV library to version 2.3.1.2 or later, where the vulnerability has been fixed. No workarounds are provided. Ensuring that all systems using iccDEV for ICC profile processing apply this update will prevent exploitation of the type confusion vulnerability. [2]