CVE-2026-21689
Type Confusion in iccDEV ICC Profile Parsing Causes Potential Exploits
Publication date: 2026-01-07
Last updated on: 2026-01-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| iccdev | iccdev | to 2.3.1.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-690 | The product does not check for an error after calling a function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference. |
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
| CWE-232 | The product does not handle or incorrectly handles when a value is not defined or supported for the associated parameter, field, or argument name. |
| CWE-190 | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
| CWE-754 | The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Type Confusion issue in the iccDEV library, specifically in the function CIccProfileXml::ParseBasic() located in IccXML/IccLibXML/IccProfileXml.cpp. It affects versions prior to 2.3.1.2 and involves improper handling of ICC color profiles, which can lead to unexpected behavior or exploitation.
How can this vulnerability impact me? :
The vulnerability can impact users by causing a denial of service (DoS) or other availability issues when processing ICC color profiles, as indicated by the CVSS score showing high impact on availability. It does not affect confidentiality or integrity but can disrupt normal operations.
What immediate steps should I take to mitigate this vulnerability?
Upgrade the iccDEV library to version 2.3.1.2 or later, as this version contains the patch for the Type Confusion vulnerability in CIccProfileXml::ParseBasic(). No known workarounds are available.