{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21677", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-02T18:45:27.395Z", "datePublished": "2026-01-06T03:11:30.537Z", "dateUpdated": "2026-01-06T18:56:50.126Z"}, "containers": {"cna": {"title": "iccDEV has Undefined Behavior in CIccCLUT::Init()", "problemTypes": [{"descriptions": [{"cweId": "CWE-758", "lang": "en", "description": "CWE-758: Reliance on Undefined, Unspecified, or Implementation-Defined Behavior", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-95w5-jvqf-3994", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-95w5-jvqf-3994"}, {"name": "https://github.com/InternationalColorConsortium/iccDEV/issues/181", "tags": ["x_refsource_MISC"], "url": "https://github.com/InternationalColorConsortium/iccDEV/issues/181"}, {"name": "https://github.com/InternationalColorConsortium/iccDEV/commit/201125fbda22c8e4ea95800a6b427093fa4b8a22", "tags": ["x_refsource_MISC"], "url": "https://github.com/InternationalColorConsortium/iccDEV/commit/201125fbda22c8e4ea95800a6b427093fa4b8a22"}], "affected": [{"vendor": "InternationalColorConsortium", "product": "iccDEV", "versions": [{"version": "< 2.3.1.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-06T03:12:18.035Z"}, "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have Undefined Behavior in its CIccCLUT::Init function which initializes and sets the size of a CLUT. This issue is fixed in version 2.3.1.1."}], "source": {"advisory": "GHSA-95w5-jvqf-3994", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/InternationalColorConsortium/iccDEV/issues/181", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-06T14:19:38.931382Z", "id": "CVE-2026-21677", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-06T18:56:50.126Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21677", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-06T14:19:38.931382Z"}}}], "references": [{"url": "https://github.com/InternationalColorConsortium/iccDEV/issues/181", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-06T14:19:41.864Z"}}], "cna": {"title": "iccDEV has Undefined Behavior in CIccCLUT::Init()", "source": {"advisory": "GHSA-95w5-jvqf-3994", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "InternationalColorConsortium", "product": "iccDEV", "versions": [{"status": "affected", "version": "< 2.3.1.1"}]}], "references": [{"url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-95w5-jvqf-3994", "name": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-95w5-jvqf-3994", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/issues/181", "name": "https://github.com/InternationalColorConsortium/iccDEV/issues/181", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/commit/201125fbda22c8e4ea95800a6b427093fa4b8a22", "name": "https://github.com/InternationalColorConsortium/iccDEV/commit/201125fbda22c8e4ea95800a6b427093fa4b8a22", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have Undefined Behavior in its CIccCLUT::Init function which initializes and sets the size of a CLUT. This issue is fixed in version 2.3.1.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-758", "description": "CWE-758: Reliance on Undefined, Unspecified, or Implementation-Defined Behavior"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-06T03:12:18.035Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21677", "state": "PUBLISHED", "dateUpdated": "2026-01-06T18:56:50.126Z", "dateReserved": "2026-01-02T18:45:27.395Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-06T03:11:30.537Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*", "matchCriteriaId": "0E50DFFC-9185-4969-85A7-6D3976699720", "versionEndExcluding": "2.3.1.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have Undefined Behavior in its CIccCLUT::Init function which initializes and sets the size of a CLUT. This issue is fixed in version 2.3.1.1."}], "id": "CVE-2026-21677", "lastModified": "2026-01-12T20:40:01.490", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-06T04:15:54.397", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/InternationalColorConsortium/iccDEV/commit/201125fbda22c8e4ea95800a6b427093fa4b8a22"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Exploit", "Vendor Advisory"], "url": "https://github.com/InternationalColorConsortium/iccDEV/issues/181"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-95w5-jvqf-3994"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Issue Tracking", "Exploit", "Vendor Advisory"], "url": "https://github.com/InternationalColorConsortium/iccDEV/issues/181"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-758"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T08:15:53.445537+00:00", "value": {"mitigation_remediation": ["Upgrade iccDEV to version 2.3.1.1 or later.", "Restrict the use of untrusted ICC files or validate them before passing to his library to mitigate input\u2011related attacks.", "Apply memory\u2011safety mechanisms such as stack canaries, address\u2011space randomization, or runtime sanitizers to reduce the impact of any remaining undefined behavior."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the International Color Consortium\u2019s iccDEV library, specifically versions 2.3.1 and earlier. The issue was corrected in version 2.3.1.1, so any installation of 2.3.1 or older is susceptible.", "description_and_impact": "An undefined behavior flaw exists in iccDEV's CIccCLUT::Init function, which allocates and sizes the Color Lookup Table (CLUT). The bug originates from improper input validation (CWE\u201120) combined with undefined memory handling (CWE\u2011758), allowing an attacker to craft a malformed ICC profile that can corrupt the program\u2019s memory. Such corruption can lead to arbitrary code execution or program crashes, compromising confidentiality, integrity, and availability of systems that use the library.", "risk_and_exploitability": "The CVSS score of 8.8 indicates a high severity, while the EPSS score of <1\u202f% suggests a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. The attack would require an adversary to supply a malicious ICC file to a process that loads the library, implying a local or privileged attacker scenario. While exploit evidence is scarce, the high CVSS and the potential for remote code execution make the risk significant if unpatched."}}}}, "created": "2026-01-06T14:16:15.209916+00:00", "updated": "2026-04-18T08:30:35.817005+00:00", "vendors": ["internationalcolorconsortium", "internationalcolorconsortium$PRODUCT$iccdev"]}