Description
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to NULL pointer dereference via the XML parser. This issue has been patched in version 2.3.1.2.
Published: 2026-01-07
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

A null pointer dereference occurs within the XML parser component of the iccDEV library. When a specially crafted XML payload is processed, the parser fails to validate a needed pointer, leading to a crash. This flaw results in a denial of service for any application that relies on iccDEV to handle color profiles. The weakness represents a classic input validation error and unchecked null dereference, corresponding to CWE‑20, CWE‑476, and CWE‑690. While the crash does not grant an attacker new privileges or data, it can expose unstable memory states before the fault triggers and disrupt workflow continuity.

Affected Systems

All versions of the International Color Consortium’s iccDEV software released prior to 2.3.1.2 are affected. No other vendors or product lines are reported to be impacted by this flaw.

Risk and Exploitability

The CVSS base score of 5.5 categorizes the vulnerability as moderate severity. An EPSS score of less than 1% indicates a very low probability of exploitation in the wild. The issue is not listed in CISA’s KEV catalog. The most probable attack vector is local: an actor who can supply XML input to the parser can trigger a crash, causing a denial of service. If the parser is exposed to untrusted input from remote users, a remote attacker could similarly induce a service outage. There is no evidence of privilege escalation or data exfiltration.

Generated by OpenCVE AI on April 18, 2026 at 16:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade iccDEV to version 2.3.1.2 or later to apply the vendor fix.
  • Restrict the XML parser to process only trusted, validated content to avoid handling malicious XML files.
  • Implement checks that validate XML payloads for well‑formedness and null references before invoking the parser to guard against malformed input.
  • Monitor application logs for abnormal terminations and, if older library versions must remain in use, consider sandboxing the color‑management components to contain potential crashes.

Generated by OpenCVE AI on April 18, 2026 at 16:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 09 Jan 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Wed, 07 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 17:30:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to NULL pointer dereference via the XML parser. This issue has been patched in version 2.3.1.2.
Title NULL Pointer Dereference in iccDEV XML Parser
Weaknesses CWE-20
CWE-476
CWE-690
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-07T18:21:09.851Z

Reserved: 2025-12-29T14:34:16.007Z

Link: CVE-2026-21499

cve-icon Vulnrichment

Updated: 2026-01-07T18:21:03.583Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-07T18:15:53.810

Modified: 2026-01-09T21:59:59.930

Link: CVE-2026-21499

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:00:05Z

Weaknesses