CVE-2026-21681
Undefined Behavior Runtime Error in iccDEV ICC Profile Processing
Publication date: 2026-01-07
Last updated on: 2026-01-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| internationalcolorconsortium | iccdev | to 2.3.1.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-21681 is a high-severity vulnerability in the iccDEV library versions prior to 2.3.1.2. It is caused by improper input validation when processing ICC color profiles, specifically due to NaN (Not a Number) values being outside the expected numeric range in the IccProfLib/IccTagBasic.cpp component. This leads to undefined behavior at runtime, such as crashes or memory access errors. The vulnerability can be triggered remotely with low attack complexity and requires no privileges, though some user interaction is needed. It is classified under CWE-20 (Improper Input Validation). [1]
How can this vulnerability impact me? :
This vulnerability impacts the integrity and availability of systems using vulnerable versions of the iccDEV library. While it does not affect confidentiality, it can cause denial of service or disruption of the affected component by triggering runtime errors or crashes when processing malicious ICC color profiles. This could lead to application instability or service interruptions. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from processing malformed ICC color profiles that contain NaN values causing runtime errors. Detection involves identifying usage of vulnerable iccDEV library versions prior to 2.3.1.2 and monitoring for crashes or abnormal behavior when ICC profiles are processed. Specific commands are not provided in the resources, but you can check the installed iccDEV version by querying your package manager or inspecting the library version in your environment. Additionally, monitoring logs for crashes or errors related to ICC profile processing may help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the iccDEV library to version 2.3.1.2 or later, which contains the patch fixing the vulnerability. No known workarounds are available. Ensuring that all systems processing ICC color profiles use the patched version will prevent exploitation of this issue. [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.