Description
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to Null pointer dereference in CIccProfileXml::ParseBasic(), leading to denial of service. This issue has been patched in version 2.3.1.2.
Published: 2026-01-07
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

A null pointer dereference occurs in the CIccProfileXml::ParseBasic() function of iccDEV when parsing ICC profile XML data. If an attacker can supply a crafted XML file or otherwise invoke the function with null or malformed input, the application will crash, disrupting service availability. This flaw does not lead to data exposure or code execution; its impact is limited to service downtime. The weakness is a classic input validation issue (CWE-20) coupled with an improper null reference check (CWE-476).

Affected Systems

The vulnerability affects the InternationalColorConsortium’s iccDEV libraries and tools. All releases prior to version 2.3.1.2 are impacted; version 2.3.1.2 and later contain the fix.

Risk and Exploitability

The base score is 5.5, indicating a medium severity. The EPSS probability is below 1%, suggesting a low likelihood of exploitation. The vulnerability is not catalogued in the CISA KEV list. Though the attack vector is not explicitly detailed in the advisory, it is inferred that an attacker could trigger the crash by providing malicious or malformed XML input to the CIccProfileXml::ParseBasic() routine. The risk is primarily to availability for systems that process ICC profiles on an open or unfiltered basis.

Generated by OpenCVE AI on April 18, 2026 at 08:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade iccDEV to version 2.3.1.2 or later, which contains the null‑pointer fix in CIccProfileXml::ParseBasic().
  • Configure the application to reject or sandbox untrusted XML files before they reach CIccProfileXml::ParseBasic(), thereby preventing malformed input from causing a crash.
  • Monitor system logs for repeated crashes related to ICC profile processing and apply the patch as soon as possible to restore availability.

Generated by OpenCVE AI on April 18, 2026 at 08:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 13 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Wed, 07 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 17:30:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to Null pointer dereference in CIccProfileXml::ParseBasic(), leading to denial of service. This issue has been patched in version 2.3.1.2.
Title iccDEV is Vulnerable to Null Pointer Dereference in CIccProfileXml::ParseBasic() Leading to Denial of Service
Weaknesses CWE-20
CWE-476
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-07T18:30:51.482Z

Reserved: 2025-12-29T14:34:16.007Z

Link: CVE-2026-21506

cve-icon Vulnrichment

Updated: 2026-01-07T18:30:23.183Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-07T18:15:54.850

Modified: 2026-01-13T21:00:53.463

Link: CVE-2026-21506

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T08:15:15Z

Weaknesses