Login Sign Up

CVE-2026-21505

5.5 MEDIUM

📋 TL;DR

CVE-2026-21505 is an undefined behavior vulnerability in iccDEV color management libraries caused by an invalid enum value. This could potentially lead to crashes, memory corruption, or other unpredictable behavior in applications using these libraries. Any software or system using iccDEV versions before 2.3.1.2 is affected.

💻 Affected Systems

Products:
  • iccDEV library and tools
  • Applications using iccDEV for color management
Versions: All versions prior to 2.3.1.2
Operating Systems: All platforms where iccDEV is installed
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability is present in the core library, so all configurations using affected versions are vulnerable

📦 What is this software?

Iccdev by Color

View all CVEs affecting Iccdev →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution or complete system compromise if the undefined behavior leads to memory corruption that can be weaponized

🟠

Likely Case

Application crashes, denial of service, or data corruption in color processing operations

🟢

If Mitigated

Minimal impact with proper input validation and sandboxing in place

🌐 Internet-Facing: MEDIUM - Applications processing untrusted ICC profiles from external sources could be vulnerable
🏢 Internal Only: LOW - Internal systems processing trusted ICC profiles have lower exposure

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation depends on how applications use the library and process ICC profiles

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.3.1.2

Vendor Advisory: https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-j577-8285-qrf9

Restart Required: Yes

Instructions:

1. Update iccDEV to version 2.3.1.2 or later
2. Recompile any applications using iccDEV
3. Restart affected services or applications

🔧 Temporary Workarounds

Input validation for ICC profiles

all

Implement strict validation of ICC profile inputs before processing

Sandbox color processing

all

Run iccDEV operations in isolated containers or sandboxes

🧯 If You Can't Patch

  • Restrict processing of untrusted ICC profiles from external sources
  • Implement network segmentation to isolate systems using vulnerable iccDEV versions

🔍 How to Verify

Check if Vulnerable:

Check iccDEV version with 'iccdev --version' or examine package manager output

Check Version:

iccdev --version

Verify Fix Applied:

Confirm version is 2.3.1.2 or later and test ICC profile processing functionality

📡 Detection & Monitoring

Log Indicators:

  • Application crashes during ICC profile processing
  • Memory access violation errors in logs
  • Unexpected termination of color management services

Network Indicators:

  • Unusual network traffic to/from color management services
  • Multiple failed ICC profile upload attempts

SIEM Query:

source="application_logs" AND ("segmentation fault" OR "access violation" OR "undefined behavior") AND process="*icc*"

📊 Metadata

CVE ID: CVE-2026-21505
CVSS v3 Score: 5.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CWE: CWE-20
EPSS Score: 0.02% exploit probability (4.4th percentile)
Published: January 7, 2026
Last Updated: January 12, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-21505, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2024-3400 10.0

CVE-2024-3400 is a critical command injection vulnerability in Palo Alto Networks PAN-OS GlobalProte...

Same vulnerability type (CWE-20)
CVE-2023-42802 10.0

This critical vulnerability in GLPI allows attackers to upload malicious PHP files to unauthorized d...

Same vulnerability type (CWE-20)