CVE-2026-21492
NULL Pointer Dereference in iccDEV Library Affects ICC Profiles
Publication date: 2026-01-06
Last updated on: 2026-01-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| international_color_consortium | iccdev | to 2.3.1.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-252 | The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions. |
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the iccDEV library involves a NULL pointer dereference in the ToneMap Writer component. Specifically, the code fails to check if certain pointers (related to tone mapping functions and luminance curves) are NULL before calling their member functions, which leads to undefined behavior and runtime errors. This occurs because the library assumes these pointers are always valid, but they can be NULL, causing crashes when dereferenced. The issue affects versions prior to 2.3.1.2 and was fixed by adding explicit null-pointer checks during reading and writing of ICC color profiles. [1, 3, 4, 5]
How can this vulnerability impact me? :
The vulnerability can cause high impact on availability by crashing or causing runtime errors in applications using the iccDEV library to process ICC color profiles. Exploitation requires local access, low attack complexity, no privileges, and user interaction. While it does not affect confidentiality or integrity, it can disrupt normal operation by causing the software to fail unexpectedly due to null pointer dereferences. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking the version of the iccDEV library in use. Versions prior to 2.3.1.2 are vulnerable. Additionally, runtime errors related to null pointer dereferences in the ToneMap Writer component, specifically in the file IccProfLib/IccMpeBasic.cpp at line 4051, indicate the presence of this vulnerability. While no specific detection commands are provided, you can verify the iccDEV version installed on your system and monitor logs or runtime errors for null pointer dereference crashes related to ICC profile processing. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade the iccDEV library to version 2.3.1.2 or later, where the vulnerability has been patched. The fix includes adding explicit null pointer checks before dereferencing pointers in the ToneMap Writer component, preventing crashes. No workarounds are available, so applying the official patch or upgrading to the fixed version is necessary to prevent exploitation. [1, 3, 4, 5]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources and context do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.