Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, a null-pointer dereference (NPD) in CIccTagLut16::Write() can be triggered when processing a crafted ICC profile (embedded in a TIFF and extracted during iccTiffDump). This issue has been patched in version 2.3.1.6.
Published: 2026-03-31
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

A null-pointer dereference occurs within the CIccTagLut16::Write method of the iccDEV library when processing a crafted ICC profile embedded inside a TIFF file. The flaw can cause the application that performs the extraction to crash or behave unpredictably, leading to a denial of service. The description does not indicate any code execution or data disclosure, so the attack would result primarily in an interruption of service.

Affected Systems

The affected product is the InternationalColorConsortium iccDEV library and its associated tools. All releases before version 2.3.1.6 are vulnerable; later releases include the fix.

Risk and Exploitability

The CVSS score of 6.2 signals a moderate severity level. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is supplied malicious ICC profile data via a TIFF file that the application processes, which could be local or remote depending on how the tool is exposed. The absence of measurable code execution limits the exploit impact to application crash or denial of service only.

Generated by OpenCVE AI on April 1, 2026 at 06:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch by updating iccDEV to version 2.3.1.6 or later

Generated by OpenCVE AI on April 1, 2026 at 06:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, a null-pointer dereference (NPD) in CIccTagLut16::Write() can be triggered when processing a crafted ICC profile (embedded in a TIFF and extracted during iccTiffDump). This issue has been patched in version 2.3.1.6.
Title iccDEV: NPD in CIccTagLut16::Write()
Weaknesses CWE-476
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T13:23:28.038Z

Reserved: 2026-03-30T16:31:39.264Z

Link: CVE-2026-34551

cve-icon Vulnrichment

Updated: 2026-04-01T13:23:02.171Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T23:17:10.100

Modified: 2026-04-20T14:33:37.803

Link: CVE-2026-34551

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:10:06Z

Weaknesses