CVE-2026-21678
Unknown Unknown - Not Provided
Heap Buffer Overflow in iccDEV IccTagXml() Before

Publication date: 2026-01-07

Last updated on: 2026-01-07

Assigner: GitHub, Inc.

Description
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to heap-buffer-overflow vulnerability in IccTagXml(). This issue has been patched in version 2.3.1.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-07
Last Modified
2026-01-07
Generated
2026-06-16
AI Q&A
2026-01-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-21678
EUVD
EUVD-2026-1398
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
internationalcolorconsortium iccdev to 2.3.1.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-21678 is a heap-based buffer overflow vulnerability in the iccDEV library, specifically in the IccTagXml() function used for processing ICC color profiles. The issue arises because the code incorrectly assumes a fixed channel count of 3 when processing curve data, leading to out-of-bounds reads and writes on heap-allocated buffers when the actual number of channels differs. This improper input validation causes the program to access memory beyond allocated buffers, potentially leading to crashes or exploitation. The vulnerability was patched in version 2.3.1.2 by dynamically using the actual number of input or output channels and adding checks to prevent invalid memory access. [1, 2, 4]

Impact Analysis

This vulnerability can lead to a heap-buffer-overflow condition when processing maliciously crafted ICC color profiles, causing the affected application to crash (segmentation fault) or potentially allowing an attacker to execute arbitrary code. The impact includes high confidentiality, integrity, and availability risks, meaning sensitive data could be exposed or altered, and the system or application could become unavailable. Exploitation requires local access and user interaction but no special privileges. [1, 4]

Detection Guidance

This vulnerability can be detected by testing the iccDEV library's IccTagXml functionality with crafted ICC profile files that trigger the heap-buffer-overflow. Using fuzz testing tools on the IccToXml tool or the iccDEV library to process suspicious or crafted ICC profiles can reveal the vulnerability. AddressSanitizer (ASAN) can be used to detect heap-buffer-overflow errors during execution, as it logs invalid memory accesses and segmentation faults. Specifically, running the IccToXml tool with a crafted ICC profile and monitoring for crashes or ASAN reports can help detect the issue. Example command to test with ASAN enabled: `ASAN_OPTIONS=detect_stack_use_after_return=1 ./IccToXml crafted_profile.icc` where `crafted_profile.icc` is a maliciously crafted ICC profile designed to trigger the overflow. Additionally, monitoring logs for segmentation faults or crashes in the IccToXml tool when processing ICC profiles can indicate exploitation attempts. [4, 1]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade the iccDEV library to version 2.3.1.2 or later, where the heap-buffer-overflow in IccTagXml() has been patched. The patch fixes the vulnerability by dynamically handling the number of channels instead of using hardcoded values and adding necessary checks to prevent buffer overreads. There are no known workarounds, so applying the official patch or upgrading to the fixed version is essential. Additionally, avoid processing untrusted or crafted ICC profile files with vulnerable versions of iccDEV until the update is applied. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21678. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart