CVE-2026-21499
NULL Pointer Dereference in iccDEV XML Parser Before
Publication date: 2026-01-07
Last updated on: 2026-01-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| internationalcolorconsortium | iccdev | to 2.3.1.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-690 | The product does not check for an error after calling a function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-21499 is a vulnerability in the iccDEV library's XML parser used for processing ICC color profiles. The issue is a NULL pointer dereference caused by improper input validation and unchecked return values when parsing XML data. Specifically, the code fails to check if certain XML nodes or their children are null before accessing them, leading to a crash or undefined behavior. This flaw can be triggered locally by providing crafted XML input and requires user interaction. The vulnerability was fixed by adding explicit null checks in the parsing code to prevent dereferencing null pointers. [1, 6]
How can this vulnerability impact me? :
This vulnerability can cause a denial of service by crashing the application that uses the iccDEV library when processing maliciously crafted ICC profile XML data. It leads to high availability loss but does not impact confidentiality or integrity. An attacker could exploit this by providing specially crafted XML input to trigger the null pointer dereference, causing the program to crash or behave unpredictably. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the iccDEV XML parser with specially crafted ICC profile XML inputs that contain malformed or incomplete XML nodes, particularly those with missing or null children in the RenderingIntent element. Detection involves observing if the iccDEV tool crashes or triggers runtime errors such as null pointer dereferences. Using UndefinedBehaviorSanitizer (UBSan) or similar runtime analysis tools while running iccDEV's iccFromXml tool on crafted XML profiles can reveal the issue. There are no specific network detection commands since the vulnerability is triggered locally with user interaction. A suggested approach is to run iccFromXml with suspicious or crafted ICC profile XML files and monitor for crashes or UBSan runtime errors indicating null pointer dereference. [6, 1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade iccDEV to version 2.3.1.2 or later, where the vulnerability has been patched by adding proper null pointer checks in the XML parsing code. There are no workarounds available. Avoid processing untrusted or malformed ICC profile XML data until the update is applied. Applying the official patch or updating to the fixed version prevents the null pointer dereference and associated crashes. [1]