CVE-2026-21497
Unknown Unknown - Not Provided

Null Pointer Dereference in iccDEV ICC Profile Parser

Vulnerability report for CVE-2026-21497, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-07

Last updated on: 2026-01-07

Assigner: GitHub, Inc.

Description

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to NULL pointer dereference via an unknown tag parser. This issue has been patched in version 2.3.1.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-07
Last Modified
2026-01-07
Generated
2026-07-06
AI Q&A
2026-01-07
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
internationalcolorconsortium iccdev to 2.3.1.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
CWE-252 The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-21497 is a null pointer dereference vulnerability in the iccDEV library's XML parsing component, specifically in the function CIccTagXmlUnknown::ParseXml(). When the parser processes malformed or crafted XML input, it may attempt to access memory through a null pointer, causing the application to crash (segmentation fault). This happens due to insufficient null pointer checks in the unknown tag parser, leading to a denial of service condition by crashing the application during ICC profile processing. [1, 2, 3]

Impact Analysis

This vulnerability can be exploited locally with low attack complexity and requires user interaction. It does not compromise confidentiality or integrity but causes a high impact on availability by crashing the application processing ICC color profiles. This results in a denial of service, potentially disrupting workflows or services relying on iccDEV for color profile handling. [1, 2]

Detection Guidance

This vulnerability can be detected by attempting to parse malformed or crafted XML input files that trigger the null pointer dereference in the iccDEV library. Specifically, running the iccDEV tool with a specially crafted XML ICC profile that causes the application to crash (segmentation fault) indicates the presence of the vulnerability. Detection involves observing crashes or segmentation faults during XML parsing, which can be confirmed by tools like AddressSanitizer reporting faults at CIccTagXmlUnknown::ParseXml(). There are no specific network detection commands provided, as the attack vector is local and requires user interaction. A practical detection method is to run the iccDEV parsing tool on known PoC XML files that trigger the fault and monitor for crashes. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade the iccDEV library to version 2.3.1.2 or later, where the vulnerability has been patched by adding proper null pointer checks in the XML parsing code. There are no workarounds provided. Until the upgrade, avoid processing untrusted or malformed ICC profile XML files that could trigger the null pointer dereference. Applying the patch from commit 9419cac or merging the fix from Pull Request #403 will prevent the crash by ensuring the pointer is validated before dereferencing. [2, 3, 4]

Compliance Impact

The vulnerability causes a denial of service by crashing the application due to a null pointer dereference in XML parsing. It does not affect confidentiality or integrity of data, only availability. There is no information indicating that this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA. [2]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21497. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart