CVE-2026-21675

iccDEV has a Use After Free vulnerability in CIccCmm class via improper hint manager object deletion

CVSS 9.8 CRITICALEPSS 0.4%CWE-20 CWE-416

In short

iccDEV color profile software has a critical flaw where a deleted object is still being accessed in memory, allowing attackers to crash the application or potentially execute malicious code. This affects how the software manages color profiles, which are widely used in image processing.

Technical detail

A Use After Free vulnerability exists in iccDEV's CIccXform::Create() function where the hint manager object is improperly deleted but subsequently accessed. An attacker can trigger this by providing a specially crafted ICC color profile file, leading to memory corruption, denial of service, or arbitrary code execution depending on heap layout and exploitation sophistication.

Summary generated and translated by AI from the official description.

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below contain a Use After Free vulnerability in the CIccXform::Create() function, where it deletes the hint. This issue is fixed in version 2.3.1.1.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

InternationalColorConsortium · iccDEV

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/InternationalColorConsortium/iccDEV/commit/510baf58fa48e00ebbb5dd577f0db4af8876bb31 https://github.com/InternationalColorConsortium/iccDEV/issues/182 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-wcwx-794g-g78f