CVE-2026-21682
Heap Buffer Overflow in iccDEV ICC Profile Parsing (Pre
Publication date: 2026-01-07
Last updated on: 2026-01-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| international_color_consortium | iccdev | to 2.3.1.1 (exc) |
| international_color_consortium | iccdev | 2.3.1.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-21682 is a heap-buffer-overflow vulnerability in the iccDEV library, specifically in the function CIccXmlArrayType::ParseText(). The function parses text input to convert it into numeric arrays but fails to properly check buffer boundaries when processing the last number in the input. This off-by-one error causes the function to write beyond the allocated heap buffer, leading to memory corruption. The vulnerability arises from improper input validation and can be triggered by maliciously crafted ICC profile XML data. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can lead to memory corruption, causing application crashes or potentially allowing an attacker to execute arbitrary code. Because the iccDEV library is used to process ICC color profiles, an attacker could exploit this flaw by supplying specially crafted ICC profile data. The CVSS score is 8.8 (High), indicating that exploitation can result in high impacts on confidentiality, integrity, and availability. Successful exploitation could lead to data breaches, data manipulation, or denial of service. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by using memory safety tools such as Clang's AddressSanitizer (ASan) or fil-c, which report heap-buffer-overflow errors when the vulnerable function `CIccXmlArrayType::ParseText()` processes crafted ICC profile XML data. Running tests that parse ICC profiles with these sanitizers enabled can reveal the overflow. Specific commands would involve building the iccDEV project with ASan enabled and running profile parsing tests to observe any heap-buffer-overflow reports. For example, compiling with `-fsanitize=address` and executing the test suite or profile parsing commands can detect the issue. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the iccDEV library to version 2.3.1.2 or later, where the vulnerability has been patched. The patch fixes the heap-buffer-overflow by adding proper boundary checks in the `CIccXmlArrayType::ParseText()` function to prevent out-of-bounds writes. No other workarounds are available, so updating to the fixed version is necessary to mitigate the risk. [3, 1]