{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21486", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-12-29T14:34:16.005Z", "datePublished": "2026-01-06T03:36:45.786Z", "dateUpdated": "2026-01-06T14:42:20.572Z"}, "containers": {"cna": {"title": "Use After Free and Heap-based Buffer Overflow and Integer Overflow or Wraparound and Out-of-bounds Write in iccDEV", "problemTypes": [{"descriptions": [{"cweId": "CWE-122", "lang": "en", "description": "CWE-122: Heap-based Buffer Overflow", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-190", "lang": "en", "description": "CWE-190: Integer Overflow or Wraparound", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-416", "lang": "en", "description": "CWE-416: Use After Free", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-787", "lang": "en", "description": "CWE-787: Out-of-bounds Write", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-mg98-j5q2-674w", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-mg98-j5q2-674w"}, {"name": "https://github.com/InternationalColorConsortium/iccDEV/commit/1ab7363f38a20089934d3410c88f714eea392bf5", "tags": ["x_refsource_MISC"], "url": "https://github.com/InternationalColorConsortium/iccDEV/commit/1ab7363f38a20089934d3410c88f714eea392bf5"}], "affected": [{"vendor": "InternationalColorConsortium", "product": "iccDEV", "versions": [{"version": "< 2.3.1.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-06T03:36:45.786Z"}, "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below contain Use After Free, Heap-based Buffer Overflow and Integer Overflow or Wraparound and Out-of-bounds Write vulnerabilities in its CIccSparseMatrix::CIccSparseMatrix function. This issue is fixed in version 2.3.1.2."}], "source": {"advisory": "GHSA-mg98-j5q2-674w", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-06T14:41:45.525506Z", "id": "CVE-2026-21486", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-06T14:42:20.572Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21486", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-06T14:41:45.525506Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-06T14:42:11.223Z"}}], "cna": {"title": "Use After Free and Heap-based Buffer Overflow and Integer Overflow or Wraparound and Out-of-bounds Write in iccDEV", "source": {"advisory": "GHSA-mg98-j5q2-674w", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "InternationalColorConsortium", "product": "iccDEV", "versions": [{"status": "affected", "version": "< 2.3.1.2"}]}], "references": [{"url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-mg98-j5q2-674w", "name": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-mg98-j5q2-674w", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/commit/1ab7363f38a20089934d3410c88f714eea392bf5", "name": "https://github.com/InternationalColorConsortium/iccDEV/commit/1ab7363f38a20089934d3410c88f714eea392bf5", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below contain Use After Free, Heap-based Buffer Overflow and Integer Overflow or Wraparound and Out-of-bounds Write vulnerabilities in its CIccSparseMatrix::CIccSparseMatrix function. This issue is fixed in version 2.3.1.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-122", "description": "CWE-122: Heap-based Buffer Overflow"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-190", "description": "CWE-190: Integer Overflow or Wraparound"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416: Use After Free"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787: Out-of-bounds Write"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-06T03:36:45.786Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21486", "state": "PUBLISHED", "dateUpdated": "2026-01-06T14:42:20.572Z", "dateReserved": "2025-12-29T14:34:16.005Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-06T03:36:45.786Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*", "matchCriteriaId": "D34CF745-E75A-4F1C-AD7B-9AC1A2E9F680", "versionEndExcluding": "2.3.1.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below contain Use After Free, Heap-based Buffer Overflow and Integer Overflow or Wraparound and Out-of-bounds Write vulnerabilities in its CIccSparseMatrix::CIccSparseMatrix function. This issue is fixed in version 2.3.1.2."}], "id": "CVE-2026-21486", "lastModified": "2026-01-12T20:59:22.500", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-06T04:15:53.960", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/InternationalColorConsortium/iccDEV/commit/1ab7363f38a20089934d3410c88f714eea392bf5"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-mg98-j5q2-674w"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}, {"lang": "en", "value": "CWE-190"}, {"lang": "en", "value": "CWE-416"}, {"lang": "en", "value": "CWE-787"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T16:56:26.730383+00:00", "value": {"mitigation_remediation": ["Upgrade iccDEV to version 2.3.1.2 or later where the vulnerability is fixed. ", "Restrict or whitelist the ICC profiles that applications can load, ensuring only trusted profiles are processed. ", "If an immediate upgrade cannot be performed, isolate the affected systems from untrusted sources or disable color management operations that rely on iccDEV until a patch is applied. ", "Monitor application logs for unusual ICC profile loading or signs of buffer overflow behavior."], "summary": {"action": "Apply Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "International Color Consortium iccDEV versions 2.3.1.1 and earlier are susceptible to this vulnerability. The flaw is specifically present in the CIccSparseMatrix implementation used by the library.", "description_and_impact": "iccDEV libraries contain a Use After Free, Heap-based Buffer Overflow, Integer Overflow or Wraparound, and Out-of-bounds Write in the CIccSparseMatrix::CIccSparseMatrix function. These flaws can allow an attacker to read, modify, or execute arbitrary code, potentially leading to loss of confidentiality, integrity, and availability of data processed by affected applications. The CVSS base score of 7.8 indicates a high severity scenario based on the potential impact of arbitrary code execution or denial of service.", "risk_and_exploitability": "The EPSS score of less than 1% suggests a very low probability of exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, the high CVSS rating indicates a serious risk if successfully exploited. The likely attack vector involves supplying a crafted ICC profile to an application that uses iccDEV; if the application runs with elevated permissions, the flaw could be leveraged for remote code execution. Successful exploitation would require the ability to deliver a malformed profile to the vulnerable component, which is feasible from untrusted or remote sources that can supply ICC data to the affected system."}}}}, "created": "2026-01-06T14:16:15.892894+00:00", "updated": "2026-04-18T17:00:05.575617+00:00", "vendors": ["internationalcolorconsortium", "internationalcolorconsortium$PRODUCT$iccdev"]}