CVE-2026-21501
Stack Overflow in iccDEV Calculator Parser Allows Code Execution
Publication date: 2026-01-07
Last updated on: 2026-01-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| internationalcolorconsortium | iccdev | to 2.3.1.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-21501 is a stack overflow vulnerability in the iccDEV library, specifically in the CIccMpeCalculator class used for processing ICC color profiles. The issue arises from improper validation of offsets and sizes when parsing sub-elements within ICC profiles, which can lead to infinite recursion or out-of-bounds memory access during the reading and processing of profile data. This vulnerability allows specially crafted ICC profiles to cause stack exhaustion and program crashes. The problem was fixed by adding strict boundary checks, correcting header size calculations, and improving memory management to prevent recursion and buffer overflows. [1, 2, 3, 4, 6]
How can this vulnerability impact me? :
This vulnerability can impact you by causing a denial of service (DoS) condition. When processing a maliciously crafted ICC profile, the stack overflow can cause the application using iccDEV to crash or abort unexpectedly, leading to loss of availability. Since the vulnerability requires user interaction and local access, an attacker could exploit it to disrupt services or applications that rely on ICC profile processing. However, it does not affect confidentiality or integrity of data. [3, 6]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the iccDEV tool with specially crafted ICC profile files that trigger the stack overflow in the CIccMpeCalculator::SetElem() function. For example, using the tool `iccDumpProfile` with a proof-of-concept (PoC) ICC profile file (such as `CIccMpeCalculatorSetElem_StackOverflow_IccMpeCalc.cpp-L4963.icc`) can cause an AddressSanitizer-detected stack overflow error, indicating the presence of the vulnerability. Running this on a Linux system with AddressSanitizer enabled can help detect the overflow. Specific commands include running `iccDumpProfile` with the crafted ICC profile and monitoring for stack overflow or memory errors. [3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade iccDEV to version 2.3.1.2 or later, where the vulnerability has been patched. The fix includes strict boundary and offset checks in the CIccMpeCalculator::Read() and SetElem() functions to prevent stack overflow by validating input sizes and offsets before processing. There are no known workarounds other than applying the official patch or upgrade. Additionally, avoid processing untrusted or specially crafted ICC profile files until the update is applied. [1, 2, 4, 6]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability primarily impacts availability due to a stack overflow that can cause denial of service. It does not affect confidentiality or integrity of data. Therefore, it does not directly impact compliance with standards like GDPR or HIPAA, which focus on data privacy and protection. However, the availability impact could indirectly affect compliance if it disrupts services required by these regulations. [6]