CVE-2026-21493

MEDIUM

iccDEV <2.3.1.1 - Memory Corruption

Title source: llm

Description

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below are vulnerable to Type Confusion in its CIccSingleSampledeCurveXml class during XML Curve Serialization. This issue is fixed in version 2.3.1.2.

References (3)

[Patch, Vendor Advisory] https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-p85g-f9q7-jmjx

[Exploit, Issue Tracking, Vendor Advisory] https://github.com/InternationalColorConsortium/iccDEV/issues/358

[Patch] https://github.com/InternationalColorConsortium/iccDEV/commit/7ff76d1471077172f9659de8d9536443eac7c48f

View Patch ZIP pw:eip

Scores

CVSS v3 6.6

EPSS 0.0002

EPSS Percentile 5.2%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-188 CWE-703 CWE-843

Status published

Products (1)

color/iccdev < 2.3.1.2

Published Jan 06, 2026

Tracked Since Feb 18, 2026