CVE-2026-21683
Type Confusion in iccDEV ICC Profile Processing Causes Crash
Publication date: 2026-01-07
Last updated on: 2026-01-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| iccdev | iccdev | to 2.3.1.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Type Confusion issue in the iccDEV library, specifically in the function icStatusCMM::CIccEvalCompare::EvaluateProfile(). It affects versions prior to 2.3.1.2 and involves improper handling of ICC color profiles, which can lead to unexpected behavior or exploitation.
How can this vulnerability impact me? :
The vulnerability can have a severe impact, as indicated by its CVSS score of 8.8. It can lead to high confidentiality, integrity, and availability impacts, meaning attackers could potentially execute arbitrary code, cause data corruption, or disrupt services when processing ICC color profiles using the affected library.
What immediate steps should I take to mitigate this vulnerability?
Upgrade the iccDEV library to version 2.3.1.2 or later, as this version contains the patch for the Type Confusion vulnerability. No known workarounds are available.