CVE-2026-21500
Unknown Unknown - Not Provided
Stack Overflow in iccDEV XML Macro Expansion Allows Code Execution

Publication date: 2026-01-07

Last updated on: 2026-01-07

Assigner: GitHub, Inc.

Description
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to stack overflow in the XML calculator macro expansion. This issue has been patched in version 2.3.1.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-07
Last Modified
2026-01-07
Generated
2026-06-16
AI Q&A
2026-01-07
EPSS Evaluated
2026-06-14
NVD
CVE-2026-21500
EUVD
EUVD-2026-1406
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
internationalcolorconsortium iccdev to 2.3.1.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-1119 The code uses too many unconditional branches (such as "goto").
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-21500 is a stack overflow vulnerability in the iccDEV library's XML calculator macro expansion feature. It occurs because the code does not detect self-referential or circular macro references during macro expansion, which leads to infinite recursion in the function CIccMpeXmlCalculator::Flatten(). This uncontrolled recursion causes the stack to overflow, potentially crashing the application processing ICC color profiles. The vulnerability is fixed by adding checks to detect self-references and halt further processing to prevent infinite recursion. [1, 3, 4, 5]

Impact Analysis

This vulnerability can cause a denial of service by crashing the application that uses the iccDEV library to process ICC color profiles. An attacker with local access and no privileges can trigger a stack overflow by crafting malicious ICC profile XML macros that cause infinite recursion during macro expansion. This leads to excessive resource consumption and application crashes, impacting availability but not confidentiality or integrity. [2, 5]

Detection Guidance

This vulnerability can be detected by testing the iccDEV library's handling of ICC profile XML macro expansions, specifically by processing crafted ICC profile XML files that contain self-referential or circular macros which cause infinite recursion and stack overflow in the `CIccMpeXmlCalculator::Flatten()` function. A proof-of-concept (PoC) XML file named `stack-overflow-CIccMpeXmlCalculator-Flatten-poc.xml` has been used to demonstrate the stack overflow. Detection involves running iccDEV with such crafted input and monitoring for crashes or stack overflow errors. Additionally, limiting stack size with commands like `ulimit -s 4096` can help observe if stack exhaustion occurs during processing. However, no specific detection commands are provided in the resources. [2, 5]

Mitigation Strategies

Immediate mitigation steps include upgrading the iccDEV library to version 2.3.1.2 or later, where the vulnerability has been patched by adding checks to detect and abort self-referential macro expansions to prevent infinite recursion and stack overflow. As a workaround, you can limit the stack size using the command `ulimit -s 4096` to restrict the stack to 4MB, reducing the risk of stack overflow during macro expansion. Avoid processing untrusted or malicious ICC profile XML files until the patch is applied. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21500. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart