{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21501", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-12-29T14:34:16.007Z", "datePublished": "2026-01-07T17:09:54.802Z", "dateUpdated": "2026-01-07T18:22:09.246Z"}, "containers": {"cna": {"title": "Stack Overflow in iccDEV Calculator Parser", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-x7hw-h22p-2x4w", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-x7hw-h22p-2x4w"}, {"name": "https://github.com/InternationalColorConsortium/iccDEV/issues/365", "tags": ["x_refsource_MISC"], "url": "https://github.com/InternationalColorConsortium/iccDEV/issues/365"}, {"name": "https://github.com/InternationalColorConsortium/iccDEV/pull/413", "tags": ["x_refsource_MISC"], "url": "https://github.com/InternationalColorConsortium/iccDEV/pull/413"}, {"name": "https://github.com/InternationalColorConsortium/iccDEV/commit/798be59011649a26a529600cc3cd56437634d3d0", "tags": ["x_refsource_MISC"], "url": "https://github.com/InternationalColorConsortium/iccDEV/commit/798be59011649a26a529600cc3cd56437634d3d0"}, {"name": "https://github.com/InternationalColorConsortium/iccDEV/commit/f3056ed99935d479091470127ad16f8be1912bb7", "tags": ["x_refsource_MISC"], "url": "https://github.com/InternationalColorConsortium/iccDEV/commit/f3056ed99935d479091470127ad16f8be1912bb7"}, {"name": "https://github.com/InternationalColorConsortium/iccDEV/blob/8e71f0a701abcbd554725ba7b70258203e682a61/IccProfLib/IccMpeCalc.cpp#L4588", "tags": ["x_refsource_MISC"], "url": "https://github.com/InternationalColorConsortium/iccDEV/blob/8e71f0a701abcbd554725ba7b70258203e682a61/IccProfLib/IccMpeCalc.cpp#L4588"}], "affected": [{"vendor": "InternationalColorConsortium", "product": "iccDEV", "versions": [{"version": "< 2.3.1.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-07T17:09:54.802Z"}, "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to stack overflow in the calculator parser. This issue has been patched in version 2.3.1.2."}], "source": {"advisory": "GHSA-x7hw-h22p-2x4w", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-07T18:15:31.164552Z", "id": "CVE-2026-21501", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-07T18:22:09.246Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21501", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-07T18:15:31.164552Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-07T18:22:03.343Z"}}], "cna": {"title": "Stack Overflow in iccDEV Calculator Parser", "source": {"advisory": "GHSA-x7hw-h22p-2x4w", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "InternationalColorConsortium", "product": "iccDEV", "versions": [{"status": "affected", "version": "< 2.3.1.2"}]}], "references": [{"url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-x7hw-h22p-2x4w", "name": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-x7hw-h22p-2x4w", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/issues/365", "name": "https://github.com/InternationalColorConsortium/iccDEV/issues/365", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/pull/413", "name": "https://github.com/InternationalColorConsortium/iccDEV/pull/413", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/commit/798be59011649a26a529600cc3cd56437634d3d0", "name": "https://github.com/InternationalColorConsortium/iccDEV/commit/798be59011649a26a529600cc3cd56437634d3d0", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/commit/f3056ed99935d479091470127ad16f8be1912bb7", "name": "https://github.com/InternationalColorConsortium/iccDEV/commit/f3056ed99935d479091470127ad16f8be1912bb7", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/blob/8e71f0a701abcbd554725ba7b70258203e682a61/IccProfLib/IccMpeCalc.cpp#L4588", "name": "https://github.com/InternationalColorConsortium/iccDEV/blob/8e71f0a701abcbd554725ba7b70258203e682a61/IccProfLib/IccMpeCalc.cpp#L4588", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to stack overflow in the calculator parser. This issue has been patched in version 2.3.1.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-07T17:09:54.802Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21501", "state": "PUBLISHED", "dateUpdated": "2026-01-07T18:22:09.246Z", "dateReserved": "2025-12-29T14:34:16.007Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-07T17:09:54.802Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*", "matchCriteriaId": "D34CF745-E75A-4F1C-AD7B-9AC1A2E9F680", "versionEndExcluding": "2.3.1.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to stack overflow in the calculator parser. This issue has been patched in version 2.3.1.2."}], "id": "CVE-2026-21501", "lastModified": "2026-01-09T21:33:44.810", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-07T18:15:54.100", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/InternationalColorConsortium/iccDEV/blob/8e71f0a701abcbd554725ba7b70258203e682a61/IccProfLib/IccMpeCalc.cpp#L4588"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/InternationalColorConsortium/iccDEV/commit/798be59011649a26a529600cc3cd56437634d3d0"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/InternationalColorConsortium/iccDEV/commit/f3056ed99935d479091470127ad16f8be1912bb7"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/InternationalColorConsortium/iccDEV/issues/365"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/InternationalColorConsortium/iccDEV/pull/413"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-x7hw-h22p-2x4w"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T08:02:56.662008+00:00", "value": {"mitigation_remediation": ["Upgrade iccDEV to version 2.3.1.2 or later.", "If upgrade is not possible, disable ICC profile parsing or restrict the usage of the vulnerable calculator parser to trusted inputs only.", "Implement additional input validation to reject malformed or excessively large calculation expressions before parsing."], "summary": {"action": "Apply patch", "impact": "Local code execution potential via crafted ICC profile"}, "threat_synthesis": {"affected_systems": "All installations of iccDEV prior to version 2.3.1.2 are affected. The affected component is the iccDEV library that processes ICC color profiles. Enterprises that rely on iccDEV for managing ICC profiles, for instance in imaging, publishing or printing workflows, need to verify their version and upgrade if necessary.", "description_and_impact": "Stack overflow occurs in iccDEV's calculator parser when parsing ICC calculation expressions. Malicious input can corrupt the stack, potentially leading to arbitrary code execution or denial of service. The flaw stems from improper input validation and an out\u2011of\u2011bounds write, as indicated by CWE\u201120 and CWE\u2011787.", "risk_and_exploitability": "The CVSS score of 5.5 indicates moderate risk. The EPSS probability is below 1%, suggesting exploitation is unlikely at present. The vulnerability is not listed in CISA's KEV catalog. The flaw is a local stack buffer overflow, so it requires an attacker to supply a crafted ICC profile to the parser. If the profile originates from an untrusted source, the risk escalates."}}}}, "created": "2026-01-08T09:48:38.046609+00:00", "updated": "2026-04-18T08:15:15.884414+00:00", "vendors": ["internationalcolorconsortium", "internationalcolorconsortium$PRODUCT$iccdev"]}