Description
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV has undefined behavior due to a null pointer passed to memcpy() in CIccTagSparseMatrixArray. This issue has been patched in version 2.3.1.2.
Published: 2026-01-07
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory Corruption
Action: Apply Patch
AI Analysis

Impact

A null pointer is passed to the memcpy function within the CIccTagSparseMatrixArray component of iccDEV, leading to undefined behavior. This flaw represents a CWE-476 null pointer dereference and a CWE-131 buffer handling weakness, which can corrupt memory, crash programs, or in the case of untrusted data, potentially facilitate arbitrary code execution. The impact is limited to code that uses the affected library to process ICC color profiles.

Affected Systems

InternationalColorConsortium’s iccDEV library and associated tools before the release of version 2.3.1.2 are impacted. Versions 2.3.1.2 and later contain the patch that prevents the null pointer from being passed to memcpy. Any software that loads or manipulates ICC profiles via iccDEV on a vulnerable platform is susceptible.

Risk and Exploitability

The CVSS score of 6.1 indicates a medium severity. The EPSS score is less than 1%, suggesting a very low probability of exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. Exploitation would require an attacker to supply a malformed ICC profile that triggers the memcpy operation, which is most likely a local or privileged scenario rather than a remote attack. Consequently, the overall risk is moderate but largely mitigated by applying the vendor’s patch.

Generated by OpenCVE AI on April 18, 2026 at 16:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to iccDEV 2.3.1.2 or later to eliminate the null‑pointer memcpy defect.
  • Validate ICC profile data before processing and reject malformed or unexpected data structures.
  • If immediate upgrade is not possible, disable ICC profile handling in applications that do not require color management until a patched library is available.

Generated by OpenCVE AI on April 18, 2026 at 16:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 09 Jan 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Wed, 07 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 17:30:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV has undefined behavior due to a null pointer passed to memcpy() in CIccTagSparseMatrixArray. This issue has been patched in version 2.3.1.2.
Title iccDEV has Undefined Behavior - Null Pointer Passed to memcpy() in CIccTagSparseMatrixArray
Weaknesses CWE-131
CWE-20
CWE-476
CWE-628
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-07T21:53:35.787Z

Reserved: 2025-12-29T14:34:16.007Z

Link: CVE-2026-21503

cve-icon Vulnrichment

Updated: 2026-01-07T21:53:32.805Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-07T18:15:54.390

Modified: 2026-01-09T21:34:09.107

Link: CVE-2026-21503

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:00:05Z

Weaknesses