CVE-2026-21492
Unknown Unknown - Not Provided
NULL Pointer Dereference in iccDEV Library Affects ICC Profiles

Publication date: 2026-01-06

Last updated on: 2026-01-06

Assigner: GitHub, Inc.

Description
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a NULL pointer member call vulnerability. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-06
Last Modified
2026-01-06
Generated
2026-06-16
AI Q&A
2026-01-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-21492
EUVD
EUVD-2026-1143
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
international_color_consortium iccdev to 2.3.1.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
CWE-252 The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

The vulnerability can cause high impact on availability by crashing or causing runtime errors in applications using the iccDEV library to process ICC color profiles. Exploitation requires local access, low attack complexity, no privileges, and user interaction. While it does not affect confidentiality or integrity, it can disrupt normal operation by causing the software to fail unexpectedly due to null pointer dereferences. [1]

Detection Guidance

This vulnerability can be detected by checking the version of the iccDEV library in use. Versions prior to 2.3.1.2 are vulnerable. Additionally, runtime errors related to null pointer dereferences in the ToneMap Writer component, specifically in the file IccProfLib/IccMpeBasic.cpp at line 4051, indicate the presence of this vulnerability. While no specific detection commands are provided, you can verify the iccDEV version installed on your system and monitor logs or runtime errors for null pointer dereference crashes related to ICC profile processing. [1, 2]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade the iccDEV library to version 2.3.1.2 or later, where the vulnerability has been patched. The fix includes adding explicit null pointer checks before dereferencing pointers in the ToneMap Writer component, preventing crashes. No workarounds are available, so applying the official patch or upgrading to the fixed version is necessary to prevent exploitation. [1, 3, 4, 5]

Compliance Impact

The provided resources and context do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability in the iccDEV library involves a NULL pointer dereference in the ToneMap Writer component. Specifically, the code fails to check if certain pointers (related to tone mapping functions and luminance curves) are NULL before calling their member functions, which leads to undefined behavior and runtime errors. This occurs because the library assumes these pointers are always valid, but they can be NULL, causing crashes when dereferenced. The issue affects versions prior to 2.3.1.2 and was fixed by adding explicit null-pointer checks during reading and writing of ICC color profiles. [1, 3, 4, 5]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21492. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart