Skip to main content

Iccdev CVE-2026-21676

HIGH
Heap-based Buffer Overflow (CWE-122)
2026-01-06 security-advisories@github.com
8.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
PoC Detected
Jan 12, 2026 - 20:55 vuln.today
Public exploit code
Patch released
Jan 12, 2026 - 20:55 nvd
Patch available
CVE Published
Jan 06, 2026 - 04:15 nvd
HIGH 8.8

DescriptionGitHub Advisory

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have a Heap-based Buffer Overflow in its CIccMBB::Validate function which checks tag data validity. This issue is fixed in version 2.3.1.1.

AnalysisAI

Heap buffer overflow in iccDEV versions 2.3.1 and earlier allows remote attackers to execute arbitrary code or crash the application through malformed ICC color profile data processed by the CIccMBB::Validate function. Public exploit code exists for this vulnerability, which affects all users handling untrusted color profiles. Upgrade to version 2.3.1.1 or later to remediate.

Technical ContextAI

Classified as CWE-122 (Heap-based Buffer Overflow). Affects Iccdev. iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have a Heap-based Buffer Overflow in its CIccMBB::Validate function which checks tag data validity. This issue is fixed in version 2.3.1.1.

RemediationAI

A vendor patch is available — apply it immediately. Fixed in version 2.3.1.1.. Enable ASLR, DEP/NX, and stack canaries where possible. Restrict network access to the affected service where possible.

More in Iccdev

View all
CVE-2026-21675 CRITICAL POC
9.8 Jan 06

iccDEV ICC color profile library (through 2.3.1) has a use-after-free in CIccXform::Create() when processing hint object

CVE-2026-24412 HIGH POC
8.8 Jan 24

Heap buffer overflow in iccDEV versions 2.3.1.1 and below allows remote code execution through maliciously crafted ICC c

CVE-2026-24406 HIGH POC
8.8 Jan 24

Heap buffer overflow in iccDEV versions 2.3.1.1 and below allows remote code execution when processing maliciously craft

CVE-2026-24405 HIGH POC
8.8 Jan 24

Heap buffer overflow in iccDEV versions 2.3.1.1 and earlier allows remote code execution through maliciously crafted ICC

CVE-2026-21688 HIGH POC
8.8 Jan 07

Type confusion in iccDEV library versions before 2.3.1.2 allows unauthenticated attackers to achieve remote code executi

CVE-2026-21677 HIGH POC
8.8 Jan 06

iccDEV color management library versions 2.3.1 and earlier contain undefined behavior in the CLUT initialization functio

CVE-2026-21485 HIGH POC
8.8 Jan 06

iccDEV ICC color profile libraries versions 2.3.1.1 and earlier suffer from undefined behavior and out-of-memory errors

CVE-2026-22047 HIGH POC
8.8 Jan 07

Heap buffer overflow in iccDEV versions before 2.3.1.2 allows remote code execution when processing malicious ICC color

CVE-2026-21693 HIGH POC
8.8 Jan 07

Type confusion in iccDEV versions before 2.3.1.2 allows attackers to corrupt memory and achieve high-impact outcomes inc

CVE-2026-21692 HIGH POC
8.8 Jan 07

Type confusion in iccDEV versions before 2.3.1.2 allows unauthenticated attackers to achieve remote code execution throu

CVE-2026-21682 HIGH POC
8.8 Jan 07

Heap buffer overflow in iccDEV versions before 2.3.1.2 allows remote code execution when processing malicious ICC color

CVE-2026-21679 HIGH POC
8.8 Jan 07

Heap buffer overflow in iccDEV versions prior to 2.3.1.2 allows remote attackers to execute arbitrary code through the C

Share

CVE-2026-21676 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy