CVE-2026-21505
Undefined Behavior in iccDEV ICC Profile Handling Before
Publication date: 2026-01-07
Last updated on: 2026-01-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| internationalcolorconsortium | iccdev | to 2.3.1.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-843 | The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in iccDEV occurs due to undefined behavior caused by an invalid enum value in the icMaterialColorSignature enumeration. Specifically, when processing ICC color profiles, malformed or malicious profiles can contain invalid material color signature values that the software does not properly validate or handle. This leads to runtime errors and undefined behavior in the wxProfileDump tool and potentially other applications using this enum. The root causes are improper input validation and type confusion, which can cause the program to behave unpredictably or crash. [4, 5]
How can this vulnerability impact me? :
The primary impact of this vulnerability is a high loss of availability, meaning that affected applications or tools like wxProfileDump may crash or become unstable when processing malicious or malformed ICC profiles. Confidentiality and integrity are not affected. The attack requires local access, low complexity, no privileges, and user interaction, so an attacker could cause denial of service by triggering the invalid enum handling. [5]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by running the wxProfileDump tool from the iccDEV project on ICC profile files, especially those that might be malformed or malicious. The issue manifests as runtime errors or undefined behavior when an invalid enum value is loaded. A known test case file named IccCmm_cpp-L8840.icc.txt can be used to reproduce the issue. To detect the vulnerability, you can run the wxProfileDump GUI or command-line tool on suspicious ICC profiles and observe for errors related to invalid enum values or UBSan warnings. Specific commands are not provided, but running wxProfileDump on ICC profiles is the suggested method. [4, 5]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the iccDEV library to version 2.3.1.2 or later, where the vulnerability has been patched. The fix addresses the invalid enum value handling and prevents undefined behavior. No workarounds are provided, so updating to the fixed version is the recommended action to prevent exploitation. [5]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.