CVE-2026-21498
Unknown Unknown - Not Provided
NULL Pointer Dereference in iccDEV XML Calculator Parser

Publication date: 2026-01-07

Last updated on: 2026-01-07

Assigner: GitHub, Inc.

Description
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to NULL pointer dereference via the XML calculator parser. This issue has been patched in version 2.3.1.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-07
Last Modified
2026-01-07
Generated
2026-06-16
AI Q&A
2026-01-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-21498
EUVD
EUVD-2026-1408
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
international_color_consortium iccdev to 2.3.1.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-690 The product does not check for an error after calling a function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference.
CWE-252 The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-21498 is a vulnerability in the iccDEV library where the XML calculator parser does not properly check for null pointers before dereferencing them. Specifically, in the function CIccMpeXmlCalculator::ParseXml(), the code fails to verify if an XML node pointer (pNode) is NULL before using it, which can cause the program to crash or behave unexpectedly when processing specially crafted XML input. This is known as a NULL pointer dereference vulnerability and was fixed by adding proper null checks in version 2.3.1.2. [1, 2, 3, 4, 5]

Impact Analysis

This vulnerability can cause the application using the iccDEV library to crash or become unavailable when processing maliciously crafted XML data, leading to a denial of service. It does not impact confidentiality or integrity but has a high impact on availability. The attack requires local access with low complexity and user interaction but no special privileges. [2, 3]

Detection Guidance

This vulnerability can be detected by monitoring for crashes or segmentation faults in applications using the iccDEV library when processing ICC color profiles, especially those involving XML calculator parsing. Specifically, crashes related to null pointer dereferences in the function CIccMpeXmlCalculator::ParseXml() indicate the presence of this issue. Detection can involve running the iccFromXml tool with specially crafted XML files that trigger the null pointer dereference, such as the test file npd-CIccMpeXmlCalculator-ParseXml-ub-load-null-ptr.xml mentioned in the issue report. There are no specific network commands provided for detection, but monitoring application logs for segmentation faults or crashes during XML parsing is recommended. [3]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade the iccDEV library to version 2.3.1.2 or later, where the issue has been patched by adding null pointer checks in the CIccMpeXmlCalculator::ParseXml() function. This patch prevents the null pointer dereference by verifying pointers before use. Since there are no known workarounds, updating to the fixed version is the recommended mitigation. Additionally, avoid processing untrusted or malformed ICC profile XML data until the update is applied. [2, 4, 5]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21498. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart