CVE-2026-21678
Heap Buffer Overflow in iccDEV IccTagXml() Before
Publication date: 2026-01-07
Last updated on: 2026-01-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| internationalcolorconsortium | iccdev | to 2.3.1.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-21678 is a heap-based buffer overflow vulnerability in the iccDEV library, specifically in the IccTagXml() function used for processing ICC color profiles. The issue arises because the code incorrectly assumes a fixed channel count of 3 when processing curve data, leading to out-of-bounds reads and writes on heap-allocated buffers when the actual number of channels differs. This improper input validation causes the program to access memory beyond allocated buffers, potentially leading to crashes or exploitation. The vulnerability was patched in version 2.3.1.2 by dynamically using the actual number of input or output channels and adding checks to prevent invalid memory access. [1, 2, 4]
How can this vulnerability impact me? :
This vulnerability can lead to a heap-buffer-overflow condition when processing maliciously crafted ICC color profiles, causing the affected application to crash (segmentation fault) or potentially allowing an attacker to execute arbitrary code. The impact includes high confidentiality, integrity, and availability risks, meaning sensitive data could be exposed or altered, and the system or application could become unavailable. Exploitation requires local access and user interaction but no special privileges. [1, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the iccDEV library's IccTagXml functionality with crafted ICC profile files that trigger the heap-buffer-overflow. Using fuzz testing tools on the IccToXml tool or the iccDEV library to process suspicious or crafted ICC profiles can reveal the vulnerability. AddressSanitizer (ASAN) can be used to detect heap-buffer-overflow errors during execution, as it logs invalid memory accesses and segmentation faults. Specifically, running the IccToXml tool with a crafted ICC profile and monitoring for crashes or ASAN reports can help detect the issue. Example command to test with ASAN enabled: `ASAN_OPTIONS=detect_stack_use_after_return=1 ./IccToXml crafted_profile.icc` where `crafted_profile.icc` is a maliciously crafted ICC profile designed to trigger the overflow. Additionally, monitoring logs for segmentation faults or crashes in the IccToXml tool when processing ICC profiles can indicate exploitation attempts. [4, 1]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade the iccDEV library to version 2.3.1.2 or later, where the heap-buffer-overflow in IccTagXml() has been patched. The patch fixes the vulnerability by dynamically handling the number of channels instead of using hardcoded values and adding necessary checks to prevent buffer overreads. There are no known workarounds, so applying the official patch or upgrading to the fixed version is essential. Additionally, avoid processing untrusted or crafted ICC profile files with vulnerable versions of iccDEV until the update is applied. [1, 2]