CVE-2026-21674 identifies a memory leak vulnerability classified under CWE-401 (Missing Release of Memory after Effective Lifetime) in the iccDEV library, which is used for handling ICC color management profiles. The vulnerability exists in versions 2.3.1 and earlier within the XML MPE Parsing Path function (iccFromXml). When parsing XML data, the affected code fails to properly free allocated memory after its usage, causing a gradual increase in memory consumption. This can lead to resource exhaustion, potentially degrading system performance or causing denial of service conditions. The vulnerability requires local access (AV:L), low attack complexity (AC:L), no privileges (PR:N), and user interaction (UI:R) to be exploited. The scope is unchanged (S:U), and the impact affects only availability (A:L), with no confidentiality or integrity impact. The issue has been addressed in version 2.3.1.1 of iccDEV. There are no known exploits in the wild at this time. The vulnerability primarily affects systems that utilize iccDEV for ICC profile processing, which is common in digital imaging, printing, and color management workflows. Because the vulnerability is a memory leak rather than a direct code execution or data corruption flaw, the risk is limited to potential denial of service through resource depletion rather than data compromise or system takeover.

For European organizations, the primary impact of this vulnerability is potential degradation of service availability in applications or systems that rely on iccDEV for ICC color profile processing. This could affect industries such as digital printing, graphic design, photography, and any enterprise software handling color management workflows. Repeated exploitation or processing of crafted XML profiles could cause memory exhaustion, leading to application crashes or system slowdowns. While the vulnerability does not compromise confidentiality or integrity, availability issues could disrupt business operations, particularly in environments with high-volume or automated color profile processing. The impact is more pronounced in organizations with limited system resources or those running legacy versions of iccDEV. However, since exploitation requires local access and user interaction, remote attacks are unlikely, reducing the overall risk profile for many organizations.

To mitigate this vulnerability, European organizations should upgrade all instances of iccDEV to version 2.3.1.1 or later, where the memory leak has been fixed. In environments where immediate upgrading is not feasible, implement monitoring of memory usage for applications utilizing iccDEV, especially during XML profile parsing operations, to detect abnormal resource consumption early. Limit user privileges to reduce the risk of exploitation, as the vulnerability requires user interaction and local access. Employ application whitelisting and endpoint protection to prevent execution of untrusted or malicious XML profiles. Additionally, conduct regular audits of software dependencies to identify and remediate outdated iccDEV versions. For critical systems, consider sandboxing or isolating color profile processing tasks to contain potential denial of service impacts. Finally, maintain awareness of vendor advisories and apply patches promptly.