Description
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to NULL pointer dereference via the XML tag parser. This issue has been patched in version 2.3.1.2.
Published: 2026-01-07
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

icdev, a library for ICC color profile manipulation, contains a null pointer dereference flaw in its XML tag parser in versions older than 2.3.1.2. The vulnerability is triggered when the parser receives unexpected or malformed XML input, causing the program to crash. A crash results in a denial of service that could interrupt color management services or any application relying on iccDEV, leading to loss of availability but not compromising confidentiality or integrity. The attack vector is inferred to be the supply of malformed XML to the library, which may occur locally or remotely depending on how iccDEV is employed.

Affected Systems

The affected product is iccDEV from the International Color Consortium. Versions before 2.3.1.2 are impacted; all releases newer than 2.3.1.2 contain the fix. The vulnerability was formally documented at the vendor's repository and is included in the community security advisories.

Risk and Exploitability

With a CVSS score of 5.5 the vulnerability is classified as moderate. The EPSS score is below 1%, indicating a very low probability of exploitation. It is not listed in the CISA KEV catalog. An attacker would need access to the XML input path of the library, which may be local or remote depending on how iccDEV is used. The specific attack vector is not stated in the CVE description; it is inferred that the threat arises from supplying malformed XML through any input channel the library exposes. Exploitation typically results in a program crash rather than arbitrary code execution.

Generated by OpenCVE AI on April 18, 2026 at 19:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade all iccDEV installations to version 2.3.1.2 or later, which eliminates the null pointer dereference flaw.
  • Validate or sanitize XML documents before passing them to iccDEV's parser to reduce the risk of malformed input.
  • If an upgrade is not immediately feasible, isolate the usage of the library in a controlled environment or disable XML parsing features where possible.

Generated by OpenCVE AI on April 18, 2026 at 19:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 09 Jan 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Wed, 07 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 17:30:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to NULL pointer dereference via the XML tag parser. This issue has been patched in version 2.3.1.2.
Title NULL Pointer Dereference in iccDEV XML Tag Parser
Weaknesses CWE-20
CWE-252
CWE-476
CWE-690
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-07T18:21:53.693Z

Reserved: 2025-12-29T14:34:16.007Z

Link: CVE-2026-21502

cve-icon Vulnrichment

Updated: 2026-01-07T18:21:42.807Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-07T18:15:54.247

Modified: 2026-01-09T21:33:58.750

Link: CVE-2026-21502

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T20:00:09Z

Weaknesses