CVE-2026-21676
Unknown Unknown - Not Provided
Heap-Based Buffer Overflow in iccDEV CIccMBB::Validate Function

Publication date: 2026-01-06

Last updated on: 2026-01-06

Assigner: GitHub, Inc.

Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have a Heap-based Buffer Overflow in its CIccMBB::Validate function which checks tag data validity. This issue is fixed in version 2.3.1.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-06
Last Modified
2026-01-06
Generated
2026-06-16
AI Q&A
2026-01-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-21676
EUVD
EUVD-2026-1151
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
internationalcolorconsortium iccdev to 2.3.1.1 (exc)
internationalcolorconsortium iccdev to 2.3.1.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-21676 is a heap-based buffer overflow vulnerability in the iccDEV library, specifically in the CIccMBB::Validate function that checks the validity of ICC color management profile tag data. The issue arises due to improper input validation and incorrect handling of input/output channel counts when processing certain ICC profile tags, such as LUT16 and gamut tags. This leads to reading beyond allocated heap memory buffers, causing a heap-buffer-overflow error. The vulnerability was identified in the ICC profile validation code, particularly in the CIccTagLut16::Validate() function, and results from improper bounds checking when processing LUT16 tags. It was fixed in version 2.3.1.1 and later patched in 2.3.1.2. [1, 2, 3]

Impact Analysis

This vulnerability has a high severity with a CVSS score of 8.8. It can be exploited remotely over a network with low complexity and requires no privileges but some user interaction. Successful exploitation can lead to a heap-based buffer overflow, which may cause significant impacts including disclosure of sensitive data, modification of data, and disruption of service (availability). Essentially, it can compromise confidentiality, integrity, and availability of systems using vulnerable versions of the iccDEV library when processing malicious ICC profiles. [2]

Detection Guidance

This vulnerability can be detected by validating ICC profiles using the iccDEV tools, specifically the iccDumpProfile command-line tool which invokes the vulnerable validation functions. Running iccDumpProfile on ICC profiles can trigger the heap-buffer-overflow detection if the profile is malformed. Additionally, using AddressSanitizer (ASan) and UndefinedBehaviorSanitizer (UBSan) when building and running iccDEV tools can help detect the overflow during validation. Example command: `iccDumpProfile <profile.icc>` executed in an environment with ASan enabled to detect out-of-bounds reads during validation. [3]

Mitigation Strategies

The immediate mitigation step is to upgrade the iccDEV library to version 2.3.1.1 or later, as the vulnerability is fixed starting from that version. Since no workarounds are provided, updating to the patched version is essential. Additionally, avoid processing untrusted ICC profiles with vulnerable versions to reduce risk. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21676. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart