CVE-2026-21679
Unknown Unknown - Not Provided
Heap Buffer Overflow in iccDEV CIccLocalizedUnicode::GetText

Publication date: 2026-01-07

Last updated on: 2026-01-07

Assigner: GitHub, Inc.

Description
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to heap-buffer-overflow in CIccLocalizedUnicode::GetText(). This issue has been patched in version 2.3.1.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-07
Last Modified
2026-01-07
Generated
2026-06-16
AI Q&A
2026-01-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-21679
EUVD
EUVD-2026-1403
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
internationalcolorconsortium iccdev to 2.3.1.2 (inc)
internationalcolorconsortium iccdev to 2.3.1.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-21679 is a heap-buffer-overflow vulnerability in the iccDEV library, specifically in the function CIccLocalizedUnicode::GetText(). The vulnerability occurs because the function reads beyond the allocated heap buffer when processing localized Unicode text data in ICC color profiles. This happens due to improper bounds checking and buffer size mismanagement, leading to out-of-bounds memory access. Essentially, when the function attempts to read Unicode strings, it can read two bytes past the allocated buffer, causing memory corruption. This flaw was detected by fuzz testing and AddressSanitizer, and it affects versions of iccDEV prior to 2.3.1.2. [1, 2]

Impact Analysis

This vulnerability can lead to memory corruption, which may cause application crashes or enable attackers to exploit the issue to execute arbitrary code or cause denial of service. Since the vulnerability affects the processing of ICC color profiles, a maliciously crafted profile could trigger the overflow when loaded by the iccDEV library. The CVSS v3.1 score of 8.8 indicates high severity, with impacts on confidentiality, integrity, and availability (all high). The attack vector is network-based and requires some user interaction, but no privileges are needed. Therefore, if you use iccDEV to process ICC profiles, this vulnerability could allow attackers to compromise your system or disrupt services. [1, 2]

Detection Guidance

This vulnerability was detected using fuzz testing tools such as LibFuzzer combined with AddressSanitizer, which reported heap-buffer-overflow errors during processing of ICC profiles. To detect this vulnerability on your system, you can run fuzz testing on the iccDEV library or any application using it, focusing on processing ICC color profiles with malformed multi-localized Unicode tags. There are no specific network or system commands provided to detect this vulnerability directly. Instead, monitoring for crashes or memory corruption events related to iccDEV when handling ICC profiles may help identify exploitation attempts. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade the iccDEV library to version 2.3.1.2 or later, where the vulnerability has been patched. The fix includes improved buffer boundary checks, safer buffer allocations with double null-termination, validation of tag lengths, and safer string copying to prevent heap-buffer-overflow. No workarounds are provided, so applying the official patch or updated version is necessary to protect against exploitation. [2, 3, 4]

Compliance Impact

The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21679. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart