CVE-2026-21504
Unknown Unknown - Not Provided
Heap Buffer Overflow in iccDEV ToneMap Parser Prior to

Publication date: 2026-01-07

Last updated on: 2026-01-07

Assigner: GitHub, Inc.

Description
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to heap buffer overflow in the ToneMap parser. This issue has been patched in version 2.3.1.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-07
Last Modified
2026-01-07
Generated
2026-06-16
AI Q&A
2026-01-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-21504
EUVD
EUVD-2026-1412
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
internationalcolorconsortium iccdev to 2.3.1.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
CWE-193 A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-21504 is a heap buffer overflow vulnerability in the iccDEV library's ToneMap parser, specifically in the function CIccMpeToneMap::Read(). The issue arises from improper handling of buffer boundaries when reading data into a heap-allocated buffer, causing the code to read beyond the allocated memory. This overflow can lead to crashes or potentially arbitrary code execution. The root cause was an incorrect loop increment variable that caused out-of-bounds memory access during tone map data processing. The vulnerability affects versions prior to 2.3.1.2 and has been fixed by correcting the loop increment to prevent the overflow. [2, 3, 6]

Impact Analysis

This vulnerability can lead to a denial of service by causing application crashes due to illegal memory access. It may also allow an attacker to execute arbitrary code, compromising system availability and potentially integrity and confidentiality to a lesser extent. Exploitation requires local access with user interaction but no special privileges. The impact includes low confidentiality and integrity loss but high availability impact. [3, 6]

Detection Guidance

This vulnerability can be detected by analyzing the processing of ICC profile files, especially those containing multi-process element tags that invoke the vulnerable CIccMpeToneMap::Read() function. Detection may involve using tools like AddressSanitizer to identify heap buffer overflows during ICC profile parsing. A practical approach is to test ICC profile files with verbose debugging tools such as `iccDumpProfile -v` on potentially malicious or crafted .icc files to observe crashes or illegal memory accesses indicative of the vulnerability. [6]

Mitigation Strategies

The immediate mitigation step is to upgrade the iccDEV library to version 2.3.1.2 or later, where the heap buffer overflow in the ToneMap parser has been patched. No workarounds are provided, so applying the official patch or updating to the fixed version is necessary to prevent exploitation. [3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21504. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart