{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21690", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-02T18:45:27.397Z", "datePublished": "2026-01-07T21:50:25.822Z", "dateUpdated": "2026-01-08T14:44:06.772Z"}, "containers": {"cna": {"title": "iccDEV has Type Confusion in CIccTagXmlTagData::ToXml()", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-457", "lang": "en", "description": "CWE-457: Use of Uninitialized Variable", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-475", "lang": "en", "description": "CWE-475: Undefined Behavior for Input to API", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-2f26-vh48-38g6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-2f26-vh48-38g6"}, {"name": "https://github.com/InternationalColorConsortium/iccDEV/issues/393", "tags": ["x_refsource_MISC"], "url": "https://github.com/InternationalColorConsortium/iccDEV/issues/393"}, {"name": "https://github.com/InternationalColorConsortium/iccDEV/pull/426", "tags": ["x_refsource_MISC"], "url": "https://github.com/InternationalColorConsortium/iccDEV/pull/426"}], "affected": [{"vendor": "InternationalColorConsortium", "product": "iccDEV", "versions": [{"version": "< 2.3.1.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-07T21:50:25.822Z"}, "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `CIccTagXmlTagData::ToXml()`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available."}], "source": {"advisory": "GHSA-2f26-vh48-38g6", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-08T14:42:56.611371Z", "id": "CVE-2026-21690", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-08T14:44:06.772Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21690", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-08T14:42:56.611371Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-08T14:44:00.330Z"}}], "cna": {"title": "iccDEV has Type Confusion in CIccTagXmlTagData::ToXml()", "source": {"advisory": "GHSA-2f26-vh48-38g6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "InternationalColorConsortium", "product": "iccDEV", "versions": [{"status": "affected", "version": "< 2.3.1.2"}]}], "references": [{"url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-2f26-vh48-38g6", "name": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-2f26-vh48-38g6", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/issues/393", "name": "https://github.com/InternationalColorConsortium/iccDEV/issues/393", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/pull/426", "name": "https://github.com/InternationalColorConsortium/iccDEV/pull/426", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `CIccTagXmlTagData::ToXml()`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-457", "description": "CWE-457: Use of Uninitialized Variable"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-475", "description": "CWE-475: Undefined Behavior for Input to API"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-07T21:50:25.822Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21690", "state": "PUBLISHED", "dateUpdated": "2026-01-08T14:44:06.772Z", "dateReserved": "2026-01-02T18:45:27.397Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-07T21:50:25.822Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*", "matchCriteriaId": "D34CF745-E75A-4F1C-AD7B-9AC1A2E9F680", "versionEndExcluding": "2.3.1.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `CIccTagXmlTagData::ToXml()`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available."}], "id": "CVE-2026-21690", "lastModified": "2026-01-12T18:26:22.213", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-07T22:15:45.383", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Exploit", "Vendor Advisory"], "url": "https://github.com/InternationalColorConsortium/iccDEV/issues/393"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/InternationalColorConsortium/iccDEV/pull/426"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-2f26-vh48-38g6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-457"}, {"lang": "en", "value": "CWE-475"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-843"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T16:48:19.425868+00:00", "value": {"mitigation_remediation": ["Upgrade the iccDEV library to version 2.3.1.2 or later as soon as possible.", "Rebuild or recompile any applications that link to iccDEV to incorporate the patched library version.", "If an immediate upgrade is not feasible, limit the acceptance of ICC profiles to trusted sources and manually validate any custom profiles before they are fed to the library."], "summary": {"action": "Patch ASAP", "impact": "Untrusted Input Exploitation"}, "threat_synthesis": {"affected_systems": "All versions of the International Color Consortium\u2019s iccDEV library older than 2.3.1.2 that are used to read or process ICC color profiles are affected. Applications, services, or third\u2011party components that embed or link against the vulnerable library are at risk when they import data from untrusted profiles.", "description_and_impact": "iccDEV is a library that handles ICC color profiles. In releases before 2.3.1.2, the CIccTagXmlTagData::ToXml() function has a type\u2011confusion flaw that can be triggered by supplying a crafted XML tag inside a profile. The incorrect handling of data types may lead to memory corruption, corrupted profile data, or other unintended behavior. The description of the vulnerability does not indicate that code execution is possible, only that the library misinterprets input data.", "risk_and_exploitability": "The CVSS score of 6.3 reflects moderate severity, while the EPSS score of less than 1% indicates that exploitation attempts are expected to be rare. It is not listed in the CISA KEV catalog. The likely attack vector is file\u2011based: an attacker supplies a malicious ICC profile that is processed by the vulnerable library. If the profile is interpreted in a privileged or sensitive context, untrusted data could corrupt application state or compromise data integrity."}}}}, "created": "2026-01-08T09:48:12.223856+00:00", "updated": "2026-04-18T17:00:05.564412+00:00", "vendors": ["internationalcolorconsortium", "internationalcolorconsortium$PRODUCT$iccdev"]}