iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) col...
Description
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles
Remediation
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Executive Summary:
A critical Use After Free vulnerability exists in the iccDEV color management libraries, affecting multiple products using versions 2.3.1 and below. This flaw can be triggered when an application processes a specially crafted file, potentially allowing an attacker to execute arbitrary code and gain full control of the affected system. Due to the high severity, immediate patching is required to prevent a potential system compromise.
Vulnerability Details
CVE-ID: CVE-2026-21675
Affected Software: iccDEV provides a set of libraries and tools for working with ICC color management Multiple Products
Affected Versions: Versions 2.3.1 and below
Vulnerability: The vulnerability is a Use After Free (UAF) condition within the
CIccXform::Create()function of the iccDEV library. In vulnerable versions, a memory object (hint) is deallocated (freed) but a pointer to it is kept. Later, the program attempts to use this pointer, which now points to invalid memory. An attacker can exploit this by crafting a malicious file (such as an image with a specially designed ICC color profile) that, when processed by an application using the vulnerable library, manipulates memory to place malicious code in the freed location. Successful exploitation leads to arbitrary code execution in the context of the user running the application or a denial-of-service condition through an application crash.Business Impact
This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation could lead to a complete compromise of the system where the vulnerable software is running. An attacker could execute code remotely, allowing them to install malware, exfiltrate sensitive data, disrupt business operations, or use the compromised system as a pivot point to attack other internal network resources. The business risk is significant for any system that processes untrusted files using software dependent on the vulnerable iccDEV library, such as graphic design workstations, web servers that process image uploads, or document management systems.
Remediation Plan
Immediate Action:
Identify all systems and applications that utilize the iccDEV library and update them to the patched version 2.3.1.1 or later. Prioritize patching on internet-facing systems and critical workstations that process files from external sources. After patching, monitor for any signs of exploitation attempts and review relevant application and system logs for unusual activity preceding the update.
Proactive Monitoring:
Implement enhanced monitoring for applications that use the iccDEV library. Look for unusual application crashes, especially those related to file processing. Monitor for suspicious child processes spawning from the affected applications. Analyze network traffic for unexpected outbound connections from systems running the software, which could indicate a successful compromise. Review security logs for memory corruption errors or access violations tied to the vulnerable processes.
Compensating Controls:
If immediate patching is not feasible, implement the following controls to reduce risk:
Exploitation Status
Public Exploit Available: false
Analyst Notes:
As of the publication date, Jan 6, 2026, there are no known public proof-of-concept exploits or active exploitation campaigns targeting this vulnerability. However, given the critical CVSS score and the nature of the vulnerability, it is highly likely that threat actors will develop exploits. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
Analyst Recommendation
Given the critical CVSS score of 9.8, this vulnerability poses a severe risk to the organization. We strongly recommend that all system owners immediately identify and patch affected software to version 2.3.1.1 or a later release. This vulnerability should be treated with the highest priority. Although it is not yet on the CISA KEV list, the potential for remote code execution means that proactive patching is essential to prevent future exploitation and a potential system compromise.