{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21488", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-12-29T14:34:16.006Z", "datePublished": "2026-01-06T13:52:21.380Z", "dateUpdated": "2026-01-06T14:22:27.581Z"}, "containers": {"cna": {"title": "iccDEV has Out-of-bounds Read, Heap-based Buffer Overflow and Improper Null Termination", "problemTypes": [{"descriptions": [{"cweId": "CWE-122", "lang": "en", "description": "CWE-122: Heap-based Buffer Overflow", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-125", "lang": "en", "description": "CWE-125: Out-of-bounds Read", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-170", "lang": "en", "description": "CWE-170: Improper Null Termination", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-4j2g-rvv4-86vg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-4j2g-rvv4-86vg"}, {"name": "https://github.com/InternationalColorConsortium/iccDEV/commit/9daaccceb231c43db8cab312ee5bbe9d2aa6b153", "tags": ["x_refsource_MISC"], "url": "https://github.com/InternationalColorConsortium/iccDEV/commit/9daaccceb231c43db8cab312ee5bbe9d2aa6b153"}], "affected": [{"vendor": "InternationalColorConsortium", "product": "iccDEV", "versions": [{"version": "< 2.3.1.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-06T13:52:21.380Z"}, "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below are vulnerable to Out-of-bounds Read, Heap-based Buffer Overflow and Improper Null Termination through its CIccTagText::Read function. This issue is fixed in version 2.3.1.2."}], "source": {"advisory": "GHSA-4j2g-rvv4-86vg", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-06T14:22:20.962464Z", "id": "CVE-2026-21488", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-06T14:22:27.581Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21488", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-06T14:22:20.962464Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-06T14:22:25.001Z"}}], "cna": {"title": "iccDEV has Out-of-bounds Read, Heap-based Buffer Overflow and Improper Null Termination", "source": {"advisory": "GHSA-4j2g-rvv4-86vg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "InternationalColorConsortium", "product": "iccDEV", "versions": [{"status": "affected", "version": "< 2.3.1.2"}]}], "references": [{"url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-4j2g-rvv4-86vg", "name": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-4j2g-rvv4-86vg", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/commit/9daaccceb231c43db8cab312ee5bbe9d2aa6b153", "name": "https://github.com/InternationalColorConsortium/iccDEV/commit/9daaccceb231c43db8cab312ee5bbe9d2aa6b153", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below are vulnerable to Out-of-bounds Read, Heap-based Buffer Overflow and Improper Null Termination through its CIccTagText::Read function. This issue is fixed in version 2.3.1.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-122", "description": "CWE-122: Heap-based Buffer Overflow"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125: Out-of-bounds Read"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-170", "description": "CWE-170: Improper Null Termination"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-06T13:52:21.380Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21488", "state": "PUBLISHED", "dateUpdated": "2026-01-06T14:22:27.581Z", "dateReserved": "2025-12-29T14:34:16.006Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-06T13:52:21.380Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*", "matchCriteriaId": "D34CF745-E75A-4F1C-AD7B-9AC1A2E9F680", "versionEndExcluding": "2.3.1.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below are vulnerable to Out-of-bounds Read, Heap-based Buffer Overflow and Improper Null Termination through its CIccTagText::Read function. This issue is fixed in version 2.3.1.2."}], "id": "CVE-2026-21488", "lastModified": "2026-01-14T18:45:51.240", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-06T14:15:48.420", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/InternationalColorConsortium/iccDEV/commit/9daaccceb231c43db8cab312ee5bbe9d2aa6b153"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-4j2g-rvv4-86vg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}, {"lang": "en", "value": "CWE-125"}, {"lang": "en", "value": "CWE-170"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T08:14:52.964314+00:00", "value": {"mitigation_remediation": ["Upgrade iccDEV to version 2.3.1.2 or later to eliminate the buffer overflow and read errors.", "If an upgrade is not immediately possible, restrict the source of ICC profile data to trusted, validated files and avoid processing user-supplied profiles through CIccTagText::Read.", "Implement application-level checks that verify the size and null termination of text tags before invoking the library, reducing the chance of triggering the overflow or information disclosure."], "summary": {"action": "Apply Patch", "impact": "Remote Code Execution via Heap-based Buffer Overflow"}, "threat_synthesis": {"affected_systems": "Affected versions are all releases of International Color Consortium's iccDEV 2.3.1.1 and earlier. The fix was introduced in 2.3.1.2. All installations using the vulnerable libraries or tools should be evaluated for upgrade eligibility.", "description_and_impact": "The vulnerability resides in iccDEV's CIccTagText::Read function, where an attacker can supply overly large or malformed text data that causes an out-of-bounds read, an improper null termination, and ultimately a heap-based buffer overflow. This memory corruption can allow an attacker to manipulate the execution flow of the process using iccDEV libraries, potentially leading to arbitrary code execution or denial of service. The weakness is typical of untrusted data handling failures, as documented by the referenced CWEs.", "risk_and_exploitability": "The CVSS score of 6.1 indicates moderate severity, while the EPSS score of less than 1% suggests a very low probability of current exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require the presence of untrusted or malformed ICC profile data processed by the CIccTagText::Read routine, which is likely to be supplied from external sources such as client uploads or network inputs. Given the lack of publicly available exploits and the low EPSS, the immediate risk is moderate but should be mitigated promptly."}}}}, "created": "2026-01-07T10:36:28.367693+00:00", "updated": "2026-04-18T08:15:15.898771+00:00", "vendors": ["internationalcolorconsortium", "internationalcolorconsortium$PRODUCT$iccdev"], "weaknesses": ["CWE-122", "CWE-125", "CWE-170"]}