CVE-2026-21677
Unknown Unknown - Not Provided
Undefined Behavior in iccDEV CIccCLUT::Init Function

Publication date: 2026-01-06

Last updated on: 2026-01-06

Assigner: GitHub, Inc.

Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have Undefined Behavior in its CIccCLUT::Init function which initializes and sets the size of a CLUT. This issue is fixed in version 2.3.1.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-06
Last Modified
2026-01-06
Generated
2026-06-16
AI Q&A
2026-01-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-21677
EUVD
EUVD-2026-1152
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
internationalcolorconsortium iccdev to 2.3.1.2 (exc)
internationalcolorconsortium iccdev 2.3.1.1
internationalcolorconsortium iccdev 2.3.1.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-758 The product uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-21677 is a vulnerability in the iccDEV library related to undefined behavior in the CIccCLUT::Init function, which initializes and sets the size of a color lookup table (CLUT). The issue arises from improper input validation and handling of invalid or zero channel counts, leading to runtime errors and instability when processing ICC color profiles. Specifically, invalid values are loaded into platform signature variables causing undefined behavior detected by sanitizers. This flaw can cause the library to behave incorrectly or crash during ICC profile processing. [1, 2, 3]

Impact Analysis

This vulnerability can be exploited remotely with low complexity and no privileges, requiring some user interaction. Successful exploitation can lead to high impacts on confidentiality, integrity, and availability of the affected system. This means an attacker could cause the system to crash, behave unpredictably, or potentially execute malicious actions compromising sensitive data or system stability. [2]

Detection Guidance

This vulnerability manifests as undefined behavior and runtime errors related to invalid values loaded into 'icPlatformSignature' variables during ICC profile processing. Detection can involve monitoring for runtime errors flagged by UndefinedBehaviorSanitizer (UBSan) in the affected binaries, especially errors occurring at specific source code lines (line 227 in iccDumpProfile.cpp and lines 1847 and 1867 in IccProfLib/IccUtil.cpp). While no specific network detection commands are provided, running the iccDEV tools with UBSan enabled or checking logs for these runtime errors can help detect exploitation attempts. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade the iccDEV library to version 2.3.1.2 or later, where the vulnerability has been fixed by adding proper input validation in the CIccCLUT::Init function and related LUT reading functions. There are no workarounds available, so applying the patch or updating to the fixed version is necessary to prevent exploitation. [2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21677. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart