CVE-2026-21688

EUVD-2026-1390

07.01.2026, 22:15

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `SIccCalcOp::ArgsPushed()` at `IccProfLib/IccMpeCalc.cpp`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.8 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
GitHub_M	CNA	8.8 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 36%

Affected Products (NVD)

Vendor	Product	Version
color	iccdev	𝑥 < 2.3.1.2

𝑥

= Vulnerable software versions

Known Exploits!

https://github.com/InternationalColorConsortium/iccDEV/issues/379

Common Weakness Enumeration

CWE-20 - Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References

https://github.com/InternationalColorConsortium/iccDEV/issues/379

https://github.com/InternationalColorConsortium/iccDEV/pull/422

https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-3r2x-j7v3-pg6f