Description
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to NULL pointer dereference via an unknown tag parser. This issue has been patched in version 2.3.1.2.
Published: 2026-01-07
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via NULL pointer dereference
Action: Patch Immediately
AI Analysis

Impact

ICC Color Consortium’s iccDEV contains a null pointer dereference in its unknown tag parser, which can be triggered by an attacker supplying a malformed ICC profile. The flaw allows the application to crash, resulting in a denial of service. This vulnerability is an example of unchecked input leading to an invalid memory access, marked by CWE‑20, CWE‑476 and CWE‑252.

Affected Systems

The issue affects the iccDEV libraries and tools distributed by the International Color Consortium, specifically any release prior to version 2.3.1.2. Version 2.3.1.2 and later incorporate the fix.

Risk and Exploitability

The CVSS vector scores a 5.5, indicating moderate severity, and the EPSS score is reported as less than 1 %, suggesting a low probability of exploitation so far. The vulnerability requires the attacker to supply a crafted ICC profile that contains an unknown tag, which then causes the parser to dereference a NULL pointer and crash. Currently the flaw is not listed in the CISA Known Exploited Vulnerabilities catalog, and no public exploits have been disclosed. Nonetheless, the potential for disrupting services that rely on iccDEV warrants timely remediation.

Generated by OpenCVE AI on April 18, 2026 at 08:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade iccDEV to version 2.3.1.2 or later.
  • Reconfigure or patch the application so that unknown tags in ICC profiles are rejected rather than parsed, thereby preventing the null dereference.
  • When an upgrade is not immediately possible, enforce strict validation of ICC profiles before processing to ensure that only recognized tags are accepted.

Generated by OpenCVE AI on April 18, 2026 at 08:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 09 Jan 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Wed, 07 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 17:30:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to NULL pointer dereference via an unknown tag parser. This issue has been patched in version 2.3.1.2.
Title NULL Pointer Dereference in iccDEV Unknown Tag Parser
Weaknesses CWE-20
CWE-252
CWE-476
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-07T18:19:19.900Z

Reserved: 2025-12-29T14:34:16.006Z

Link: CVE-2026-21497

cve-icon Vulnrichment

Updated: 2026-01-07T18:19:17.230Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-07T18:15:53.483

Modified: 2026-01-09T21:59:42.477

Link: CVE-2026-21497

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T08:15:15Z

Weaknesses