Description
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to NULL pointer dereference via the signature parser. This issue has been patched in version 2.3.1.2.
Published: 2026-01-07
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply patch
AI Analysis

Impact

iccDEV is a library for manipulating ICC color management profiles. Before version 2.3.1.2 its signature parser can dereference a NULL pointer when processing an ICC profile signature, causing the process to crash. The impact is a disruption of services that use the library, potentially resulting in a denial of service. The CVE description does not indicate remote code execution; it only describes a local crash.

Affected Systems

The affected product is International Color Consortium’s iccDEV. All versions older than 2.3.1.2 are vulnerable; version 2.3.1.2 and later contain the fix.

Risk and Exploitability

The CVSS score of 5.5 signals moderate severity. The EPSS score of less than 1% suggests a low probability of exploitation at present. The vulnerability is not listed in CISA's KEV catalog. Attackers could supply a crafted ICC profile file to trigger the parser; if the library is used by a privileged or server‑side application, a crash could be leveraged to disrupt availability. The likely attack vector is file or input based; no network‑based exploitation is described.

Generated by OpenCVE AI on April 18, 2026 at 16:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update iccDEV to version 2.3.1.2 or newer
  • If an update is not immediately possible, prevent untrusted ICC profile files from reaching applications that use iccDEV
  • Validate or sandbox the parsing of ICC profiles to mitigate crash risks

Generated by OpenCVE AI on April 18, 2026 at 16:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 09 Jan 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Wed, 07 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 17:30:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to NULL pointer dereference via the signature parser. This issue has been patched in version 2.3.1.2.
Title NULL Pointer Dereference in iccDEV Signature Parser
Weaknesses CWE-20
CWE-252
CWE-476
CWE-690
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-07T18:19:41.872Z

Reserved: 2025-12-29T14:34:16.006Z

Link: CVE-2026-21496

cve-icon Vulnrichment

Updated: 2026-01-07T18:19:38.352Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-07T18:15:53.300

Modified: 2026-01-09T21:56:48.510

Link: CVE-2026-21496

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:00:05Z

Weaknesses