CVE-2026-21693

iccDEV has Type Confusion in CIccSegmentedCurveXml::ToXml() at IccXML/IccLibXML/IccMpeXml.cpp

CVSS 8.8 HIGHEPSS 0.3%CWE-20 CWE-681 CWE-754 CWE-843

In short

iccDEV library has a type confusion bug in its color profile processing code that can cause the program to crash or behave unpredictably when handling certain ICC color profiles. This affects anyone using iccDEV to work with color management files.

Technical detail

A type confusion vulnerability in CIccSegmentedCurveXml::ToXml() allows an attacker to craft a malicious ICC color profile that triggers incorrect type handling during XML serialization. The vulnerability requires processing of a specially crafted ICC profile file and can lead to denial of service or memory corruption.

Summary generated and translated by AI from the official description.

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `CIccSegmentedCurveXml::ToXml()` at `IccXML/IccLibXML/IccMpeXml.cpp`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

InternationalColorConsortium · iccDEV

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/InternationalColorConsortium/iccDEV/issues/389 https://github.com/InternationalColorConsortium/iccDEV/pull/432 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-v3q7-7hw6-6jq8