CVE-2026-21674
Unknown Unknown - Not Provided
Memory Leak in iccDEV XML MPE Parsing (iccFromXml

Publication date: 2026-01-06

Last updated on: 2026-01-06

Assigner: GitHub, Inc.

Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below contain a memory leak vulnerability in its XML MPE Parsing Path (iccFromXml). This issue is fixed in version 2.3.1.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-06
Last Modified
2026-01-06
Generated
2026-06-16
AI Q&A
2026-01-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-21674
EUVD
EUVD-2026-1149
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
international_color_consortium iccdev to 2.3.1.2 (exc)
international_color_consortium iccdev 2.3.1.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-401 The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability is a low-severity memory leak in a color management library and does not impact confidentiality or integrity of data. Therefore, it does not directly affect compliance with common standards and regulations such as GDPR or HIPAA, which focus on protecting personal data and ensuring data integrity and confidentiality. [2]

Executive Summary

CVE-2026-21674 is a memory leak vulnerability in the iccDEV library, specifically in the XML Multi-Process Element (MPE) parsing path within the function iccFromXml and CIccProfileXml::ParseTag(). The issue occurs because the software fails to properly release allocated memory during the parsing of ICC color profiles, particularly when handling certain XML elements like CMYK 3D Lookup Tables (3DLUTs). This leads to memory being consumed and not freed, which can degrade system performance over time. The vulnerability was fixed by ensuring proper deletion of allocated pointers during parsing. [1, 2, 3]

Impact Analysis

This vulnerability can cause a memory leak when processing ICC color profiles using the iccDEV library, which may lead to increased memory usage and reduced availability of system resources. Although it does not affect confidentiality or integrity, it has a low impact on availability, potentially causing performance degradation or application instability if exploited repeatedly or in long-running processes. [2, 3]

Detection Guidance

This vulnerability can be detected by reproducing the memory leak during the parsing of ICC color profiles using the iccFromXml tool on a specially crafted XML file such as CMYK-3DLUTs.xml. To detect the leak, you can clone the iccDEV repository, build it with Clang++ enabling AddressSanitizer (ASan) and UndefinedBehaviorSanitizer (UBSan), and then run the iccFromXml tool on the test XML file. The ASan report will highlight memory leaks related to the vulnerability. Example commands include: 1) git clone https://github.com/InternationalColorConsortium/iccDEV.git 2) cd iccDEV 3) clang++ -fsanitize=address,undefined -g -o iccFromXml tools/iccFromXml.cpp (adjust build commands as needed) 4) ./iccFromXml CMYK-3DLUTs.xml CMYK-3DLUTs.icc 5) Observe ASan output for memory leaks. [3]

Mitigation Strategies

The immediate mitigation step is to upgrade the iccDEV library to version 2.3.1.1 or later, where the memory leak vulnerability has been fixed. There are no known workarounds. Avoid processing ICC profiles with vulnerable versions until the update is applied. [2, 1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21674. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart