iccDEV incorporates a set of libraries and tools for handling ICC color management profiles. Prior to release 2.3.1.2 the XML calculator parser contains a null pointer dereference. When the parser is fed a crafted XML document the evaluated expression references a null pointer, causing a segmentation fault and terminating the process. This flaw results in a denial‑of‑service condition; it does not provide direct information disclosure nor modify data. The weakness aligns with common input validation and null pointer dereference vulnerabilities (CWE‑20, CWE‑476, CWE‑252, CWE‑690).

All systems running InternationalColorConsortium iccDEV before version 2.3.1.2 are affected. The vulnerability applies to the library and any associated tools that invoke the XML calculator parser. System administrators should verify the installed version; any deployment of iccDEV older than 2.3.1.2 is in the risk zone.

The CVSS score of 5.5 indicates a moderate severity. EPSS is reported as less than 1%, suggesting that exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog. Attackers would likely supply a malicious XML document to the parser by embedding it in a corrupted or otherwise illicit file that the application processes. Because the flaw manifests only when the parser evaluates a certain expression, the exploitation requires that input be accepted by the application and parsed; this limits the attack to environments where iccDEV processes untrusted XML data.