CVE-2026-21503
Unknown Unknown - Not Provided
Null Pointer Dereference in iccDEV CIccTagSparseMatrixArray Causes Crash

Publication date: 2026-01-07

Last updated on: 2026-01-07

Assigner: GitHub, Inc.

Description
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV has undefined behavior due to a null pointer passed to memcpy() in CIccTagSparseMatrixArray. This issue has been patched in version 2.3.1.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-07
Last Modified
2026-01-07
Generated
2026-06-16
AI Q&A
2026-01-07
EPSS Evaluated
2026-06-14
NVD
CVE-2026-21503
EUVD
EUVD-2026-1386
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
internationalcolorconsortium iccdev to 2.3.1.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
CWE-628 The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-131 The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-21503 is a vulnerability in the iccDEV library affecting versions prior to 2.3.1.2. It occurs in the CIccTagSparseMatrixArray component where a null pointer is passed to the memcpy() function, causing undefined behavior and runtime errors. This happens due to improper input validation, incorrect buffer size calculation, and null pointer dereferencing. The issue can cause unsafe memory operations leading to potential crashes or instability when processing ICC color profiles. [1, 2, 4]

Impact Analysis

This vulnerability can impact you by causing runtime errors or crashes when processing ICC color profiles using the iccDEV library. It has a high impact on availability, meaning it can cause the application to become unstable or stop functioning properly. The integrity impact is low, and there is no confidentiality loss. The attack requires local access with low complexity and some user interaction, but no privileges are needed. [1, 4]

Detection Guidance

This vulnerability can be detected by checking the version of the iccDEV library installed on your system. Versions prior to 2.3.1.2 are vulnerable. Additionally, runtime errors related to null pointer dereferences in the CIccTagSparseMatrixArray component, such as those flagged by UndefinedBehaviorSanitizer during processing of ICC profiles, can indicate the presence of this vulnerability. There are no specific network detection commands provided. To check the version, you can use commands like `iccdev --version` or inspect the installed package version depending on your system's package manager. Monitoring logs for runtime errors or crashes related to ICC profile processing tools like `iccRoundTrip` may also help detect exploitation attempts. [1, 4]

Mitigation Strategies

The immediate mitigation step is to upgrade the iccDEV library to version 2.3.1.2 or later, where the vulnerability has been patched. The patch includes improved input validation to prevent null pointer dereferences and runtime errors. Since no workarounds are provided, updating to the fixed version is the recommended action to eliminate the vulnerability. [1, 2, 3]

Compliance Impact

The vulnerability in iccDEV causes undefined behavior and potential runtime errors due to null pointer dereferencing, impacting availability and integrity but not confidentiality. There is no information indicating that this vulnerability directly affects compliance with common standards and regulations such as GDPR or HIPAA. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21503. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart