CVE-2026-21690

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `CIccTagXmlTagData::ToXml()`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.

CVSS v3 6.3 MEDIUM

6.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/InternationalColorConsortium/iccDEV/issues/393	Issue Tracking Exploit Vendor Advisory
https://github.com/InternationalColorConsortium/iccDEV/pull/426	Issue Tracking
https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-2f26-vh48-38g6	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-01-07 22:15

Updated : 2026-01-12 18:26

NVD link : CVE-2026-21690

Mitre link : CVE-2026-21690

CVE.ORG link : CVE-2026-21690

JSON object : View

Products Affected

color

iccdev

CWE

CWE-20

Improper Input Validation

CWE-457

Use of Uninitialized Variable

CWE-475

Undefined Behavior for Input to API

CWE-843

Access of Resource Using Incompatible Type ('Type Confusion')

6.3 /10