CVE-2026-21690
Type Confusion in iccDEV ICC Profile Processing Leads to Crash
Publication date: 2026-01-07
Last updated on: 2026-01-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| iccdev | iccdev | to 2.3.1.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-457 | The code uses a variable that has not been initialized, leading to unpredictable or unintended results. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-475 | The behavior of this function is undefined unless its control parameter is set to a specific value. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Upgrade the iccDEV library to version 2.3.1.2 or later, as this version contains the patch for the Type Confusion vulnerability in CIccTagXmlTagData::ToXml(). No known workarounds are available.
Can you explain this vulnerability to me?
This vulnerability is a Type Confusion issue in the iccDEV library, specifically in the function CIccTagXmlTagData::ToXml(). It affects versions prior to 2.3.1.2 and involves improper handling of ICC color management profiles, which can lead to unexpected behavior or security issues when processing these profiles.
How can this vulnerability impact me? :
The vulnerability can impact users by potentially allowing an attacker to cause incorrect processing of ICC color profiles, which may lead to information disclosure, integrity loss, or availability issues in applications that use the iccDEV library for color management.