What is the CVSS score of CVE-2026-21675?

CVE-2026-21675 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.2%.

Which versions of Iccdev are affected by CVE-2026-21675?

CVE-2026-21675 presents critical security risk, a input validation vulnerability rated CVSS 9.8.. A patch is available.

Is there a public PoC exploit available for CVE-2026-21675?

Yes, a public proof-of-concept exploit is available for CVE-2026-21675. Prioritise patching immediately. EPSS: 0.2%.

Iccdev CVE-2026-21675

CRITICAL

Improper Input Validation (CWE-20)

2026-01-06 security-advisories@github.com

Use After Free Iccdev

9.8

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Jan 12, 2026 - 21:00 vuln.today

Public exploit code

Patch released

Jan 12, 2026 - 21:00 nvd

Patch available

CVE Published

Jan 06, 2026 - 02:15 nvd

CRITICAL 9.8

DescriptionGitHub Advisory

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below contain a Use After Free vulnerability in the CIccXform::Create() function, where it deletes the hint. This issue is fixed in version 2.3.1.1.

AnalysisAI

iccDEV ICC color profile library (through 2.3.1) has a use-after-free in CIccXform::Create() when processing hint objects. Processing a malicious ICC profile can lead to code execution. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Send crafted ICC profile

Exploit

Trigger CIccXform::Create() function

Execution

Use after free in hint deletion

Impact

Execute arbitrary code with high privileges

Access

Send crafted ICC profile

Exploit

Trigger CIccXform::Create() function

Execution

Use after free in hint deletion

Impact

Execute arbitrary code with high privileges

Vulnerability AssessmentAI

Exploitation	No special conditions — remote unauthenticated exploitation against iccDEV versions 2.3.1 and below processing untrusted ICC color profiles. Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 9.8 (Critical). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker embeds a malicious ICC color profile in an image file. When a desktop publishing or image editing application using iccDEV processes the file, the UAF triggers code execution.
Remediation	Update to iccDEV 2.3.1.1. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all affected systems and apply vendor patches immediately. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-21675 vulnerability details – vuln.today

Back

Iccdev CVE-2026-21675

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code