CVE-2026-21687 – CVE-2026-21687 is an undefined behavior vulnera... (How to Fix)

Q: What is the severity of CVE-2026-21687?

CVE-2026-21687 has a CVSS score of 7.1 (HIGH). CVE-2026-21687 is an undefined behavior vulnerability in the CIccTagCurve constructor of the iccDEV library that processes ICC color profiles. This could lead to memory corruption, crashes, or potential code execution when processing malicious ICC profiles. Users of iccDEV library versions before 2.3.1.2 are affected.

📋 TL;DR

CVE-2026-21687 is an undefined behavior vulnerability in the CIccTagCurve constructor of the iccDEV library that processes ICC color profiles. This could lead to memory corruption, crashes, or potential code execution when processing malicious ICC profiles. Users of iccDEV library versions before 2.3.1.2 are affected.

💻 Affected Systems

Products:

iccDEV library

Versions: All versions prior to 2.3.1.2

Operating Systems: All platforms using iccDEV

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using iccDEV library to process ICC color profiles is vulnerable

📦 What is this software?

Iccdev by Color

View all CVEs affecting Iccdev →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if exploited via malicious ICC profile processing

🟠

Likely Case

Application crashes, denial of service, or memory corruption when processing malformed ICC profiles

🟢

If Mitigated

Limited to application crashes if proper input validation and sandboxing are implemented

🌐 Internet-Facing: MEDIUM - Applications processing user-uploaded ICC profiles could be exploited remotely

🏢 Internal Only: LOW - Requires processing of malicious ICC profiles, typically from untrusted sources

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires processing a malicious ICC profile, but no public exploit code is available

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.3.1.2

Vendor Advisory: https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-prmm-g479-4fv7

Restart Required: Yes

Instructions:

1. Update iccDEV library to version 2.3.1.2 or later. 2. Recompile applications using the library. 3. Restart affected services.

🔧 Temporary Workarounds

No known workarounds

all

The vendor advisory states no workarounds are available

🧯 If You Can't Patch

Restrict processing of untrusted ICC profiles to isolated environments
Implement strict input validation and sanitization for ICC profile processing

🔍 How to Verify

Check if Vulnerable:

Check if your application uses iccDEV library version < 2.3.1.2

Check Version:

Check library version in build configuration or runtime library information

Verify Fix Applied:

Verify iccDEV library version is 2.3.1.2 or later and applications have been recompiled

📡 Detection & Monitoring

Log Indicators:

Application crashes during ICC profile processing
Memory access violation errors

Network Indicators:

Unusual ICC profile uploads to applications

SIEM Query:

Application logs containing 'iccDEV', 'CIccTagCurve', or ICC processing errors

📊 Metadata

CVE ID: CVE-2026-21687

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H

CWE: CWE-20

EPSS Score: 0.11% exploit probability (29.6th percentile)

Published: January 7, 2026

Last Updated: January 12, 2026

🔗 References

https://github.com/InternationalColorConsortium/iccDEV/issues/180 Issue Tracking,Exploit,Vendor Advisory
https://github.com/InternationalColorConsortium/iccDEV/pull/221 Issue Tracking,Patch
https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-prmm-g479-4fv7 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-21687, you might also want to check these: