CVE-2026-21674
Memory Leak in iccDEV XML MPE Parsing (iccFromXml
Publication date: 2026-01-06
Last updated on: 2026-01-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| international_color_consortium | iccdev | to 2.3.1.2 (exc) |
| international_color_consortium | iccdev | 2.3.1.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-401 | The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-21674 is a memory leak vulnerability in the iccDEV library, specifically in the XML Multi-Process Element (MPE) parsing path within the function iccFromXml and CIccProfileXml::ParseTag(). The issue occurs because the software fails to properly release allocated memory during the parsing of ICC color profiles, particularly when handling certain XML elements like CMYK 3D Lookup Tables (3DLUTs). This leads to memory being consumed and not freed, which can degrade system performance over time. The vulnerability was fixed by ensuring proper deletion of allocated pointers during parsing. [1, 2, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability is a low-severity memory leak in a color management library and does not impact confidentiality or integrity of data. Therefore, it does not directly affect compliance with common standards and regulations such as GDPR or HIPAA, which focus on protecting personal data and ensuring data integrity and confidentiality. [2]
How can this vulnerability impact me? :
This vulnerability can cause a memory leak when processing ICC color profiles using the iccDEV library, which may lead to increased memory usage and reduced availability of system resources. Although it does not affect confidentiality or integrity, it has a low impact on availability, potentially causing performance degradation or application instability if exploited repeatedly or in long-running processes. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by reproducing the memory leak during the parsing of ICC color profiles using the iccFromXml tool on a specially crafted XML file such as CMYK-3DLUTs.xml. To detect the leak, you can clone the iccDEV repository, build it with Clang++ enabling AddressSanitizer (ASan) and UndefinedBehaviorSanitizer (UBSan), and then run the iccFromXml tool on the test XML file. The ASan report will highlight memory leaks related to the vulnerability. Example commands include: 1) git clone https://github.com/InternationalColorConsortium/iccDEV.git 2) cd iccDEV 3) clang++ -fsanitize=address,undefined -g -o iccFromXml tools/iccFromXml.cpp (adjust build commands as needed) 4) ./iccFromXml CMYK-3DLUTs.xml CMYK-3DLUTs.icc 5) Observe ASan output for memory leaks. [3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the iccDEV library to version 2.3.1.1 or later, where the memory leak vulnerability has been fixed. There are no known workarounds. Avoid processing ICC profiles with vulnerable versions until the update is applied. [2, 1]