CVE-2026-21493
Unknown Unknown - Not Provided
Type Confusion in iccDEV XML Curve Serialization Allows Exploitation

Publication date: 2026-01-06

Last updated on: 2026-01-06

Assigner: GitHub, Inc.

Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below are vulnerable to Type Confusion in its CIccSingleSampledeCurveXml class during XML Curve Serialization. This issue is fixed in version 2.3.1.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-06
Last Modified
2026-01-06
Generated
2026-06-16
AI Q&A
2026-01-06
EPSS Evaluated
2026-06-14
NVD
CVE-2026-21493
EUVD
EUVD-2026-1156
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
international_color_consortium iccdev to 2.3.1.2 (exc)
international_color_consortium iccdev 2.3.1.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-188 The product makes invalid assumptions about how protocol data or memory is organized at a lower level, resulting in unintended program behavior.
CWE-703 The product does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the product.
CWE-843 The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a type confusion issue in the iccDEV library's XML curve serialization, specifically in the CIccSingleSampledeCurveXml class. It occurs when an object pointer is incorrectly cast to an unrelated class, causing undefined behavior and runtime errors during ICC profile XML parsing. This flaw arises from improper handling of data types and assumptions about memory layout, leading to potential crashes or incorrect processing of ICC color profiles. [2, 3]

Impact Analysis

The vulnerability can cause crashes or undefined behavior in applications using vulnerable versions of iccDEV when processing ICC color profiles, potentially leading to denial of service or application instability. Exploitation requires local access and user interaction but no special privileges. The impact includes low confidentiality and integrity loss but high availability impact due to possible application crashes. [2, 3]

Detection Guidance

This vulnerability can be detected by monitoring for runtime errors or crashes related to the iccDEV library when processing ICC profile XML files, especially those involving SingleSampledCurve XML nodes. Specifically, UndefinedBehaviorSanitizer runtime errors indicating invalid pointer casts in the function CIccSinglSampledeCurveXml are a sign of this issue. Testing can be done by converting ICC profile files to XML using the iccToXml tool and observing for errors or crashes. There are no specific network detection commands provided. On systems where the iccDEV library is used, running the iccToXml tool on ICC profiles and checking logs for errors related to type confusion or crashes can help detect the vulnerability. [3]

Mitigation Strategies

The immediate mitigation step is to upgrade the iccDEV library to version 2.3.1.2 or later, where the vulnerability has been fixed. No workarounds are provided. Ensuring that all systems using iccDEV for ICC profile processing apply this update will prevent exploitation of the type confusion vulnerability. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21493. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart