CVE-2026-21498
NULL Pointer Dereference in iccDEV XML Calculator Parser
Publication date: 2026-01-07
Last updated on: 2026-01-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| international_color_consortium | iccdev | to 2.3.1.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-252 | The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-690 | The product does not check for an error after calling a function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference. |
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-21498 is a vulnerability in the iccDEV library where the XML calculator parser does not properly check for null pointers before dereferencing them. Specifically, in the function CIccMpeXmlCalculator::ParseXml(), the code fails to verify if an XML node pointer (pNode) is NULL before using it, which can cause the program to crash or behave unexpectedly when processing specially crafted XML input. This is known as a NULL pointer dereference vulnerability and was fixed by adding proper null checks in version 2.3.1.2. [1, 2, 3, 4, 5]
How can this vulnerability impact me? :
This vulnerability can cause the application using the iccDEV library to crash or become unavailable when processing maliciously crafted XML data, leading to a denial of service. It does not impact confidentiality or integrity but has a high impact on availability. The attack requires local access with low complexity and user interaction but no special privileges. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or segmentation faults in applications using the iccDEV library when processing ICC color profiles, especially those involving XML calculator parsing. Specifically, crashes related to null pointer dereferences in the function CIccMpeXmlCalculator::ParseXml() indicate the presence of this issue. Detection can involve running the iccFromXml tool with specially crafted XML files that trigger the null pointer dereference, such as the test file npd-CIccMpeXmlCalculator-ParseXml-ub-load-null-ptr.xml mentioned in the issue report. There are no specific network commands provided for detection, but monitoring application logs for segmentation faults or crashes during XML parsing is recommended. [3]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade the iccDEV library to version 2.3.1.2 or later, where the issue has been patched by adding null pointer checks in the CIccMpeXmlCalculator::ParseXml() function. This patch prevents the null pointer dereference by verifying pointers before use. Since there are no known workarounds, updating to the fixed version is the recommended mitigation. Additionally, avoid processing untrusted or malformed ICC profile XML data until the update is applied. [2, 4, 5]