CVE-2026-21676
Heap-Based Buffer Overflow in iccDEV CIccMBB::Validate Function
Publication date: 2026-01-06
Last updated on: 2026-01-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| internationalcolorconsortium | iccdev | to 2.3.1.1 (exc) |
| internationalcolorconsortium | iccdev | to 2.3.1.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-21676 is a heap-based buffer overflow vulnerability in the iccDEV library, specifically in the CIccMBB::Validate function that checks the validity of ICC color management profile tag data. The issue arises due to improper input validation and incorrect handling of input/output channel counts when processing certain ICC profile tags, such as LUT16 and gamut tags. This leads to reading beyond allocated heap memory buffers, causing a heap-buffer-overflow error. The vulnerability was identified in the ICC profile validation code, particularly in the CIccTagLut16::Validate() function, and results from improper bounds checking when processing LUT16 tags. It was fixed in version 2.3.1.1 and later patched in 2.3.1.2. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability has a high severity with a CVSS score of 8.8. It can be exploited remotely over a network with low complexity and requires no privileges but some user interaction. Successful exploitation can lead to a heap-based buffer overflow, which may cause significant impacts including disclosure of sensitive data, modification of data, and disruption of service (availability). Essentially, it can compromise confidentiality, integrity, and availability of systems using vulnerable versions of the iccDEV library when processing malicious ICC profiles. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by validating ICC profiles using the iccDEV tools, specifically the iccDumpProfile command-line tool which invokes the vulnerable validation functions. Running iccDumpProfile on ICC profiles can trigger the heap-buffer-overflow detection if the profile is malformed. Additionally, using AddressSanitizer (ASan) and UndefinedBehaviorSanitizer (UBSan) when building and running iccDEV tools can help detect the overflow during validation. Example command: `iccDumpProfile <profile.icc>` executed in an environment with ASan enabled to detect out-of-bounds reads during validation. [3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the iccDEV library to version 2.3.1.1 or later, as the vulnerability is fixed starting from that version. Since no workarounds are provided, updating to the patched version is essential. Additionally, avoid processing untrusted ICC profiles with vulnerable versions to reduce risk. [2]