CVE-2026-21503
Null Pointer Dereference in iccDEV CIccTagSparseMatrixArray Causes Crash
Publication date: 2026-01-07
Last updated on: 2026-01-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| internationalcolorconsortium | iccdev | to 2.3.1.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-628 | The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
| CWE-131 | The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-21503 is a vulnerability in the iccDEV library affecting versions prior to 2.3.1.2. It occurs in the CIccTagSparseMatrixArray component where a null pointer is passed to the memcpy() function, causing undefined behavior and runtime errors. This happens due to improper input validation, incorrect buffer size calculation, and null pointer dereferencing. The issue can cause unsafe memory operations leading to potential crashes or instability when processing ICC color profiles. [1, 2, 4]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in iccDEV causes undefined behavior and potential runtime errors due to null pointer dereferencing, impacting availability and integrity but not confidentiality. There is no information indicating that this vulnerability directly affects compliance with common standards and regulations such as GDPR or HIPAA. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by causing runtime errors or crashes when processing ICC color profiles using the iccDEV library. It has a high impact on availability, meaning it can cause the application to become unstable or stop functioning properly. The integrity impact is low, and there is no confidentiality loss. The attack requires local access with low complexity and some user interaction, but no privileges are needed. [1, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking the version of the iccDEV library installed on your system. Versions prior to 2.3.1.2 are vulnerable. Additionally, runtime errors related to null pointer dereferences in the CIccTagSparseMatrixArray component, such as those flagged by UndefinedBehaviorSanitizer during processing of ICC profiles, can indicate the presence of this vulnerability. There are no specific network detection commands provided. To check the version, you can use commands like `iccdev --version` or inspect the installed package version depending on your system's package manager. Monitoring logs for runtime errors or crashes related to ICC profile processing tools like `iccRoundTrip` may also help detect exploitation attempts. [1, 4]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the iccDEV library to version 2.3.1.2 or later, where the vulnerability has been patched. The patch includes improved input validation to prevent null pointer dereferences and runtime errors. Since no workarounds are provided, updating to the fixed version is the recommended action to eliminate the vulnerability. [1, 2, 3]