{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21673", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-02T18:45:27.394Z", "datePublished": "2026-01-06T01:32:21.632Z", "dateUpdated": "2026-01-06T19:00:53.347Z"}, "containers": {"cna": {"title": "iccDEV has Integer Overflow/Underflow in CIccXmlArrayType::ParseTextCountNum()", "problemTypes": [{"descriptions": [{"cweId": "CWE-190", "lang": "en", "description": "CWE-190: Integer Overflow or Wraparound", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-681", "lang": "en", "description": "CWE-681: Incorrect Conversion between Numeric Types", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-704", "lang": "en", "description": "CWE-704: Incorrect Type Conversion or Cast", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-g66g-f82c-vgm6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-g66g-f82c-vgm6"}, {"name": "https://github.com/InternationalColorConsortium/iccDEV/issues/243", "tags": ["x_refsource_MISC"], "url": "https://github.com/InternationalColorConsortium/iccDEV/issues/243"}, {"name": "https://github.com/InternationalColorConsortium/iccDEV/commit/32740802ee14418bd14c429d7e2f142d92cd5c4f", "tags": ["x_refsource_MISC"], "url": "https://github.com/InternationalColorConsortium/iccDEV/commit/32740802ee14418bd14c429d7e2f142d92cd5c4f"}], "affected": [{"vendor": "InternationalColorConsortium", "product": "iccDEV", "versions": [{"version": "< 2.3.1.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-06T01:32:21.632Z"}, "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have overflows and underflows in CIccXmlArrayType::ParseTextCountNum(). This vulnerability affects users of the iccDEV library who process ICC color profiles. This issue is fixed in version 2.3.1.1."}], "source": {"advisory": "GHSA-g66g-f82c-vgm6", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-06T14:23:27.724347Z", "id": "CVE-2026-21673", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-06T19:00:53.347Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21673", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-02T18:45:27.394Z", "datePublished": "2026-01-06T01:32:21.632Z", "dateUpdated": "2026-01-06T19:00:53.347Z"}, "containers": {"cna": {"title": "iccDEV has Integer Overflow/Underflow in CIccXmlArrayType::ParseTextCountNum()", "problemTypes": [{"descriptions": [{"cweId": "CWE-190", "lang": "en", "description": "CWE-190: Integer Overflow or Wraparound", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-681", "lang": "en", "description": "CWE-681: Incorrect Conversion between Numeric Types", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-704", "lang": "en", "description": "CWE-704: Incorrect Type Conversion or Cast", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-g66g-f82c-vgm6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-g66g-f82c-vgm6"}, {"name": "https://github.com/InternationalColorConsortium/iccDEV/issues/243", "tags": ["x_refsource_MISC"], "url": "https://github.com/InternationalColorConsortium/iccDEV/issues/243"}, {"name": "https://github.com/InternationalColorConsortium/iccDEV/commit/32740802ee14418bd14c429d7e2f142d92cd5c4f", "tags": ["x_refsource_MISC"], "url": "https://github.com/InternationalColorConsortium/iccDEV/commit/32740802ee14418bd14c429d7e2f142d92cd5c4f"}], "affected": [{"vendor": "InternationalColorConsortium", "product": "iccDEV", "versions": [{"version": "< 2.3.1.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-06T01:32:21.632Z"}, "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have overflows and underflows in CIccXmlArrayType::ParseTextCountNum(). This vulnerability affects users of the iccDEV library who process ICC color profiles. This issue is fixed in version 2.3.1.1."}], "source": {"advisory": "GHSA-g66g-f82c-vgm6", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21673", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-06T14:23:27.724347Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-06T14:23:29.790Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*", "matchCriteriaId": "0E50DFFC-9185-4969-85A7-6D3976699720", "versionEndExcluding": "2.3.1.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have overflows and underflows in CIccXmlArrayType::ParseTextCountNum(). This vulnerability affects users of the iccDEV library who process ICC color profiles. This issue is fixed in version 2.3.1.1."}], "id": "CVE-2026-21673", "lastModified": "2026-01-12T21:03:33.537", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-06T02:15:45.343", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/InternationalColorConsortium/iccDEV/commit/32740802ee14418bd14c429d7e2f142d92cd5c4f"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Exploit", "Vendor Advisory"], "url": "https://github.com/InternationalColorConsortium/iccDEV/issues/243"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-g66g-f82c-vgm6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}, {"lang": "en", "value": "CWE-681"}, {"lang": "en", "value": "CWE-704"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T08:16:47.777854+00:00", "value": {"mitigation_remediation": ["Upgrade the iccDEV library to version 2.3.1.1 or later to apply the fix that avoids the integer overflow/underflow in CIccXmlArrayType::ParseTextCountNum().", "If an upgrade is not immediately possible, limit the loading of ICC profiles to trusted sources only, and reject profiles containing unusually large counts or malformed numeric values. Ensure the application validates profile integrity before processing.", "Deploy the latest version of iccDEV in all systems that handle ICC profiles, and monitor for any anomalous application crashes or unusual activity that may indicate an attempted exploitation of this integer handling flaw."], "summary": {"action": "Apply Patch", "impact": "Memory Corruption / Potential Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Products owned by the International Color Consortium using the iccDEV library, version 2.3.1 and earlier. Users who integrate iccDEV or supply ICC color profiles to any software that relies on this library are affected. The fixed version 2.3.1.1 is available and should replace older releases.", "description_and_impact": "The vulnerability resides in a function that parses the count of array elements in ICC XML profiles. An integer overflow or underflow can occur when this function processes malformed numeric values, leading to a corrupted memory reference. The result may be an application crash (denial of service) or, if the overflow is exploited in a controlled environment, arbitrary code execution. The weakness is a classic integer handling issue. The CVE mentions the fix in a later library release, indicating the impact is tangible for applications that use the iccDEV library when processing user\u2011supplied ICC profiles.", "risk_and_exploitability": "The CVSS score of 7.8 classifies the vulnerability as high severity. While the EPSS score is below 1%, indicating a low prior probability of exploitation, the ever\u2011present possibility of an attacker supplying a malicious ICC profile means the risk is real for applications that ingest color profiles from untrusted sources. The vulnerability is not currently listed in the CISA KEV catalog and no public exploits are reported. Exploitation preconditions are minimal: a program that links against iccDEV and loads an ICC profile provided by an attacker. Hence the risk is moderate but warrants immediate mitigation."}}}}, "created": "2026-01-06T14:16:00.521457+00:00", "updated": "2026-04-18T08:30:35.818429+00:00", "vendors": ["internationalcolorconsortium", "internationalcolorconsortium$PRODUCT$iccdev"]}