CVE-2026-21505
Unknown Unknown - Not Provided
Undefined Behavior in iccDEV ICC Profile Handling Before

Publication date: 2026-01-07

Last updated on: 2026-01-07

Assigner: GitHub, Inc.

Description
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV has undefined behavior due to an invalid enum value. This issue has been patched in version 2.3.1.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-07
Last Modified
2026-01-07
Generated
2026-06-16
AI Q&A
2026-01-07
EPSS Evaluated
2026-06-14
NVD
CVE-2026-21505
EUVD
EUVD-2026-1414
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
internationalcolorconsortium iccdev to 2.3.1.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-843 The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in iccDEV occurs due to undefined behavior caused by an invalid enum value in the icMaterialColorSignature enumeration. Specifically, when processing ICC color profiles, malformed or malicious profiles can contain invalid material color signature values that the software does not properly validate or handle. This leads to runtime errors and undefined behavior in the wxProfileDump tool and potentially other applications using this enum. The root causes are improper input validation and type confusion, which can cause the program to behave unpredictably or crash. [4, 5]

Detection Guidance

This vulnerability can be detected by running the wxProfileDump tool from the iccDEV project on ICC profile files, especially those that might be malformed or malicious. The issue manifests as runtime errors or undefined behavior when an invalid enum value is loaded. A known test case file named IccCmm_cpp-L8840.icc.txt can be used to reproduce the issue. To detect the vulnerability, you can run the wxProfileDump GUI or command-line tool on suspicious ICC profiles and observe for errors related to invalid enum values or UBSan warnings. Specific commands are not provided, but running wxProfileDump on ICC profiles is the suggested method. [4, 5]

Mitigation Strategies

The immediate mitigation step is to upgrade the iccDEV library to version 2.3.1.2 or later, where the vulnerability has been patched. The fix addresses the invalid enum value handling and prevents undefined behavior. No workarounds are provided, so updating to the fixed version is the recommended action to prevent exploitation. [5]

Compliance Impact

The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

The primary impact of this vulnerability is a high loss of availability, meaning that affected applications or tools like wxProfileDump may crash or become unstable when processing malicious or malformed ICC profiles. Confidentiality and integrity are not affected. The attack requires local access, low complexity, no privileges, and user interaction, so an attacker could cause denial of service by triggering the invalid enum handling. [5]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21505. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart