CVE-2026-21500
Stack Overflow in iccDEV XML Macro Expansion Allows Code Execution
Publication date: 2026-01-07
Last updated on: 2026-01-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| internationalcolorconsortium | iccdev | to 2.3.1.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-674 | The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack. |
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-1119 | The code uses too many unconditional branches (such as "goto"). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-21500 is a stack overflow vulnerability in the iccDEV library's XML calculator macro expansion feature. It occurs because the code does not detect self-referential or circular macro references during macro expansion, which leads to infinite recursion in the function CIccMpeXmlCalculator::Flatten(). This uncontrolled recursion causes the stack to overflow, potentially crashing the application processing ICC color profiles. The vulnerability is fixed by adding checks to detect self-references and halt further processing to prevent infinite recursion. [1, 3, 4, 5]
How can this vulnerability impact me? :
This vulnerability can cause a denial of service by crashing the application that uses the iccDEV library to process ICC color profiles. An attacker with local access and no privileges can trigger a stack overflow by crafting malicious ICC profile XML macros that cause infinite recursion during macro expansion. This leads to excessive resource consumption and application crashes, impacting availability but not confidentiality or integrity. [2, 5]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the iccDEV library's handling of ICC profile XML macro expansions, specifically by processing crafted ICC profile XML files that contain self-referential or circular macros which cause infinite recursion and stack overflow in the `CIccMpeXmlCalculator::Flatten()` function. A proof-of-concept (PoC) XML file named `stack-overflow-CIccMpeXmlCalculator-Flatten-poc.xml` has been used to demonstrate the stack overflow. Detection involves running iccDEV with such crafted input and monitoring for crashes or stack overflow errors. Additionally, limiting stack size with commands like `ulimit -s 4096` can help observe if stack exhaustion occurs during processing. However, no specific detection commands are provided in the resources. [2, 5]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the iccDEV library to version 2.3.1.2 or later, where the vulnerability has been patched by adding checks to detect and abort self-referential macro expansions to prevent infinite recursion and stack overflow. As a workaround, you can limit the stack size using the command `ulimit -s 4096` to restrict the stack to 4MB, reducing the risk of stack overflow during macro expansion. Avoid processing untrusted or malicious ICC profile XML files until the patch is applied. [2]