CVE-2026-21688 – A type confusion vulnerability in iccDEV's SIcc... (How to Fix)

📋 TL;DR

A type confusion vulnerability in iccDEV's SIccCalcOp::ArgsPushed() function allows attackers to potentially execute arbitrary code or cause denial of service by processing malicious ICC color profiles. This affects all users of iccDEV library versions before 2.3.1.2 who handle ICC color profiles in their applications.

💻 Affected Systems

Products:

iccDEV library
Applications using iccDEV for ICC profile processing

Versions: All versions prior to 2.3.1.2

Operating Systems: All platforms where iccDEV is used

Default Config Vulnerable: ⚠️ Yes

Notes: Any application that uses iccDEV to parse or process ICC color profiles is vulnerable

📦 What is this software?

Iccdev by Color

View all CVEs affecting Iccdev →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment

🟠

Likely Case

Application crash or denial of service affecting color processing functionality

🟢

If Mitigated

Limited impact with proper input validation and sandboxing of profile processing

🌐 Internet-Facing: MEDIUM - Requires processing of malicious ICC profiles which could be delivered via web uploads or email attachments

🏢 Internal Only: LOW - Typically requires user interaction to process malicious profiles

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting malicious ICC profiles and getting them processed by vulnerable applications

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.3.1.2

Vendor Advisory: https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-3r2x-j7v3-pg6f

Restart Required: Yes

Instructions:

1. Update iccDEV library to version 2.3.1.2 or later
2. Recompile any applications using iccDEV
3. Restart affected services or applications

🔧 Temporary Workarounds

No known workarounds

all

The vendor advisory states no workarounds are available

🧯 If You Can't Patch

Isolate systems that process ICC profiles from untrusted networks
Implement strict input validation and sandboxing for ICC profile processing

🔍 How to Verify

Check if Vulnerable:

Check if your application uses iccDEV library version < 2.3.1.2

Check Version:

Check build configuration or dependency files for iccDEV version

Verify Fix Applied:

Verify iccDEV version is 2.3.1.2 or higher and applications have been recompiled

📡 Detection & Monitoring

Log Indicators:

Application crashes during ICC profile processing
Memory access violation errors in logs

Network Indicators:

Unexpected ICC profile uploads or downloads

SIEM Query:

Application logs containing 'iccDEV', 'IccProfLib', or 'ICC profile processing' errors

📊 Metadata

CVE ID: CVE-2026-21688

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-20

EPSS Score: 0.11% exploit probability (30.1th percentile)

Published: January 7, 2026

Last Updated: January 12, 2026

🔗 References

https://github.com/InternationalColorConsortium/iccDEV/issues/379 Issue Tracking,Exploit,Vendor Advisory
https://github.com/InternationalColorConsortium/iccDEV/pull/422 Issue Tracking,Patch
https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-3r2x-j7v3-pg6f Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-21688, you might also want to check these: