CVE-2026-21495
Division by Zero in iccDEV TIFF Reader Causes Crash
Publication date: 2026-01-07
Last updated on: 2026-01-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| internationalcolorconsortium | iccdev | to 2.3.1.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-369 | The product divides a value by zero. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a division by zero flaw in the iccDEV library's TIFF image reader component. It occurs because the software does not properly validate certain TIFF image parameters, such as the number of rows per strip, samples per pixel, or bits per sample. If any of these values are zero, the program attempts a division by zero operation, which can cause the software to crash or behave unexpectedly. This issue affects versions of iccDEV prior to 2.3.1.2 and has been fixed by adding checks to validate these parameters and prevent processing invalid TIFF files. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade iccDEV to version 2.3.1.2 or later, where the vulnerability has been patched. This update includes validation of critical TIFF parameters to prevent division by zero errors and improves error handling to avoid crashes. No workarounds are provided, so applying the patch or upgrading to the fixed version is necessary to mitigate the vulnerability. [2, 1]
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to a denial of service condition by causing the iccDEV TIFF image reader to crash or become unavailable. The impact is on availability only, with no effect on confidentiality or integrity. An attacker with local access and the ability to provide a specially crafted TIFF image can trigger this issue, causing the affected software to fail. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your system is running a version of iccDEV prior to 2.3.1.2, as those versions are vulnerable to a division by zero error in the TIFF image reader. Since the issue arises from processing malformed TIFF files, monitoring for crashes or denial of service events related to TIFF image handling in iccDEV could indicate exploitation attempts. There are no specific commands provided in the resources to detect the vulnerability directly, but you can verify the iccDEV version installed using typical package or build version commands, for example: `iccdev --version` or checking the installed package version via your package manager. Additionally, reviewing logs for crashes related to TIFF image processing may help detect exploitation. [2, 1]