CVE-2026-21502
NULL Pointer Dereference in iccDEV XML Tag Parser
Publication date: 2026-01-07
Last updated on: 2026-01-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| internationalcolorconsortium | iccdev | to 2.3.1.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-252 | The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions. |
| CWE-690 | The product does not check for an error after calling a function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference. |
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-21502 is a null pointer dereference vulnerability in the iccDEV library, specifically in the XML tag parser used for processing ICC color profiles. The issue occurs because the code does not properly check if an XML node pointer (pNode) is null before dereferencing it during parsing. This can happen when parsing malformed or crafted ICC profile XML data, leading to a crash or undefined behavior. The vulnerability arises from improper input validation and unchecked return values in functions handling XML fixed number arrays. It was fixed by adding null checks to prevent dereferencing null pointers in the parsing functions. [1, 2, 4, 5]
How can this vulnerability impact me? :
This vulnerability can cause applications using the iccDEV library to crash or behave unpredictably when parsing maliciously crafted ICC profile XML files. The impact is primarily on availability, as the null pointer dereference leads to a denial of service (application crash). There is no impact on confidentiality or integrity. Exploitation requires local access with low attack complexity and user interaction, meaning an attacker could cause a denial of service by supplying malformed ICC profile XML data to an affected application. [2, 4, 5]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the iccDEV library's XML parsing functionality with specially crafted ICC profile XML files that contain malformed or missing XML nodes, which trigger the null pointer dereference. Specifically, using a crafted ICC profile XML file similar to 'SegFault-IccTagXml_CIccTagXmlFixedNum_L1273.xml' that includes various ICC profile tags (e.g., desc, rXYZ, gXYZ, bXYZ, wtpt, chad, rTRC, gTRC, bTRC, A2B0, B2A0) can reproduce the crash. Monitoring application crashes or segmentation faults during ICC profile XML parsing indicates the presence of the vulnerability. While no explicit commands are provided, running the iccDEV parser on suspicious or untrusted ICC profile XML files and observing for crashes or errors is the practical detection method. [5]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the iccDEV library to version 2.3.1.2 or later, where the vulnerability has been patched by adding proper null pointer checks in the XML parsing functions. Avoid processing untrusted or malformed ICC profile XML files until the update is applied. Since no workarounds are provided, applying the official fix from the repository (e.g., pull request #407) is necessary to prevent crashes and denial-of-service conditions caused by this vulnerability. [4, 2]