CVE-2026-21681
Unknown Unknown - Not Provided
Undefined Behavior Runtime Error in iccDEV ICC Profile Processing

Publication date: 2026-01-07

Last updated on: 2026-01-07

Assigner: GitHub, Inc.

Description
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Undefined Behavior runtime error. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-07
Last Modified
2026-01-07
Generated
2026-06-16
AI Q&A
2026-01-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-21681
EUVD
EUVD-2026-1395
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
internationalcolorconsortium iccdev to 2.3.1.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-21681 is a high-severity vulnerability in the iccDEV library versions prior to 2.3.1.2. It is caused by improper input validation when processing ICC color profiles, specifically due to NaN (Not a Number) values being outside the expected numeric range in the IccProfLib/IccTagBasic.cpp component. This leads to undefined behavior at runtime, such as crashes or memory access errors. The vulnerability can be triggered remotely with low attack complexity and requires no privileges, though some user interaction is needed. It is classified under CWE-20 (Improper Input Validation). [1]

Impact Analysis

This vulnerability impacts the integrity and availability of systems using vulnerable versions of the iccDEV library. While it does not affect confidentiality, it can cause denial of service or disruption of the affected component by triggering runtime errors or crashes when processing malicious ICC color profiles. This could lead to application instability or service interruptions. [1]

Detection Guidance

This vulnerability arises from processing malformed ICC color profiles that contain NaN values causing runtime errors. Detection involves identifying usage of vulnerable iccDEV library versions prior to 2.3.1.2 and monitoring for crashes or abnormal behavior when ICC profiles are processed. Specific commands are not provided in the resources, but you can check the installed iccDEV version by querying your package manager or inspecting the library version in your environment. Additionally, monitoring logs for crashes or errors related to ICC profile processing may help detect exploitation attempts. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade the iccDEV library to version 2.3.1.2 or later, which contains the patch fixing the vulnerability. No known workarounds are available. Ensuring that all systems processing ICC color profiles use the patched version will prevent exploitation of this issue. [1, 2]

Compliance Impact

The provided information does not specify any impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21681. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart