Description
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a NULL pointer dereference vulnerability. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.
Published: 2026-01-07
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Null Pointer Dereference
Action: Apply Patch
AI Analysis

Impact

The vulnerability causes a null pointer dereference within the iccDEV library when processing ICC color profiles. This defect can trigger a program crash or other undefined behavior such as memory corruption. The flaw is classified as CWE‑476, indicating that an object is used without ensuring it is properly instantiated. The primary impact is a potential denial of service for processes that handle color profiles, and in certain contexts may expose vulnerabilities that could be leveraged to manipulate memory structures.

Affected Systems

The issue affects all releases of iccDEV from the International Color Consortium before version 2.3.1.2. Users who employ the iccDEV library to parse, manipulate, or apply ICC color profiles are directly impacted. No specific product lineage beyond the library is listed.

Risk and Exploitability

The CVSS score of 6.5 places the vulnerability in the medium severity range. An EPSS score of less than 1% indicates a very low probability of exploitation in the wild. The vulnerability is not present in the CISA Known Exploited Vulnerabilities list. Attackers would need the ability to deliver or influence the processing of ICC profiles in an environment that uses the vulnerable library, which is typically a local or application‑level scenario. No workarounds are known, so the recommended action is to update to the patched release.

Generated by OpenCVE AI on April 18, 2026 at 08:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the iccDEV library to version 2.3.1.2 or later, which includes the null pointer dereference fix.
  • If an immediate upgrade is not feasible, restrict or validate ICC profile input before it is processed by the application, limiting exposure to untrusted data.
  • implement monitoring for unexpected application crashes or memory-related errors linked to ICC profile handling to detect potential exploitation attempts.

Generated by OpenCVE AI on April 18, 2026 at 08:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 09 Jan 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Wed, 07 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 18:00:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a NULL pointer dereference vulnerability. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.
Title iccDEV has Null Pointer Dereference in CIccProfile::CheckTagTypes()
Weaknesses CWE-476
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-07T18:09:05.595Z

Reserved: 2026-01-02T18:45:27.396Z

Link: CVE-2026-21680

cve-icon Vulnrichment

Updated: 2026-01-07T18:08:36.198Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-07T18:15:55.290

Modified: 2026-01-09T21:34:54.593

Link: CVE-2026-21680

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T08:00:05Z

Weaknesses