Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a null pointer dereference in CIccTagXmlStruct::ParseTag() causing a segmentation fault or denial of service. This vulnerability is fixed in 2.3.1.5.
Published: 2026-03-10
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch immediately
AI Analysis

Impact

The vulnerability is a null pointer dereference in CIccTagXmlStruct::ParseTag(), leading to a segmentation fault or denial of service. This flaw is a classic NULL dereference vulnerability (CWE-476) that can be triggered when processing malformed ICC tags. It directly disrupts the stability of any application using iccDEV, potentially causing a crash but not leaking information or allowing code execution.

Affected Systems

International Color Consortium's iccDEV in any installation older than version 2.3.1.5 is affected. The malfunction occurs in the library component that parses ICC tags prior to the 2.3.1.5 release.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity, while the EPSS score of less than 1% suggests exploitation is unlikely but possible if adversaries control ICC profile input. Based on the description, the likely attack vector involves feeding a crafted ICC profile that triggers the null dereference during parsing, which causes a crash of the host process. The vulnerability is not listed in the CISA KEV catalog at this time, further suggesting a lower current threat level. Nonetheless, the potential for denial of service warrants prompt mitigation.

Generated by OpenCVE AI on April 16, 2026 at 03:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade iccDEV to version 2.3.1.5 or later to apply the vendor fix.
  • If an immediate upgrade is not possible, validate or restrict ICC profile input from untrusted sources before passing it to CIccTagXmlStruct::ParseTag(), thereby preventing malformed tags from reaching the vulnerable code path.
  • Implement application‑level error handling around tag parsing to detect and recover from unexpected crashes, which can reduce the impact of the denial of service attack if the upgrade is delayed.

Generated by OpenCVE AI on April 16, 2026 at 03:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Tue, 10 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a null pointer dereference in CIccTagXmlStruct::ParseTag() causing a segmentation fault or denial of service. This vulnerability is fixed in 2.3.1.5.
Title iccDEV has a null pointer dereference in CIccTagXmlStruct::ParseTag()
Weaknesses CWE-476
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T19:32:26.834Z

Reserved: 2026-03-09T16:33:42.912Z

Link: CVE-2026-31792

cve-icon Vulnrichment

Updated: 2026-03-10T19:27:49.627Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:18:59.403

Modified: 2026-03-13T20:30:07.400

Link: CVE-2026-31792

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:45:16Z

Weaknesses