Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, there is an Undefined Behavior (UB) issue in IccTagLut.cpp where the code performs member access through a null pointer of type CIccApplyCLUT. This issue has been patched in version 2.3.1.6.
Published: 2026-03-31
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service and potential exploitation via null pointer dereference
Action: Patch Immediately
AI Analysis

Impact

The vulnerability is an undefined behavior that occurs when the library attempts to access members of a null CIccApplyCLUT object in IccTagLut.cpp. This can cause crashes or unpredictable execution when processing ICC profiles that trigger the fault.

Affected Systems

The issue affects all builds of the International Color Consortium’s iccDEV library older than 2.3.1.6. Users who rely on these libraries for color profile handling are at risk until they upgrade.

Risk and Exploitability

With a CVSS score of 6.2 the severity is moderate. No EPSS score is provided, and the vulnerability is not listed in CISA’s KEV catalog, indicating low to moderate exploitation probability. The potential attack vector depends on how ICC profiles are supplied; it is inferred that locally crafted profiles could trigger the flaw, but remote exploitation is possible if the library is exposed to untrusted input. No known public exploits are reported.

Generated by OpenCVE AI on April 1, 2026 at 06:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade iccDEV to version 2.3.1.6 or newer to eliminate the null pointer dereference.
  • Verify that all deployments use the patched version and monitor for future updates.

Generated by OpenCVE AI on April 1, 2026 at 06:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, there is an Undefined Behavior (UB) issue in IccTagLut.cpp where the code performs member access through a null pointer of type CIccApplyCLUT. This issue has been patched in version 2.3.1.6.
Title iccDEV: UB at IccTagLut.cpp
Weaknesses CWE-476
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T19:01:26.778Z

Reserved: 2026-03-30T16:31:39.264Z

Link: CVE-2026-34552

cve-icon Vulnrichment

Updated: 2026-04-01T19:01:23.855Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T23:17:10.270

Modified: 2026-04-20T14:34:19.123

Link: CVE-2026-34552

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:10:04Z

Weaknesses