CVE-2026-21503
Unknown Unknown - Not Provided

Null Pointer Dereference in iccDEV CIccTagSparseMatrixArray Causes Crash

Vulnerability report for CVE-2026-21503, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-07

Last updated on: 2026-01-07

Assigner: GitHub, Inc.

Description

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV has undefined behavior due to a null pointer passed to memcpy() in CIccTagSparseMatrixArray. This issue has been patched in version 2.3.1.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-07
Last Modified
2026-01-07
Generated
2026-07-06
AI Q&A
2026-01-07
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
internationalcolorconsortium iccdev to 2.3.1.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
CWE-131 The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.
CWE-628 The product calls a function, procedure, or routine with arguments that are not correctly specified, leading to always-incorrect behavior and resultant weaknesses.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-21503 is a vulnerability in the iccDEV library affecting versions prior to 2.3.1.2. It occurs in the CIccTagSparseMatrixArray component where a null pointer is passed to the memcpy() function, causing undefined behavior and runtime errors. This happens due to improper input validation, incorrect buffer size calculation, and null pointer dereferencing. The issue can cause unsafe memory operations leading to potential crashes or instability when processing ICC color profiles. [1, 2, 4]

Compliance Impact

The vulnerability in iccDEV causes undefined behavior and potential runtime errors due to null pointer dereferencing, impacting availability and integrity but not confidentiality. There is no information indicating that this vulnerability directly affects compliance with common standards and regulations such as GDPR or HIPAA. [1]

Impact Analysis

This vulnerability can impact you by causing runtime errors or crashes when processing ICC color profiles using the iccDEV library. It has a high impact on availability, meaning it can cause the application to become unstable or stop functioning properly. The integrity impact is low, and there is no confidentiality loss. The attack requires local access with low complexity and some user interaction, but no privileges are needed. [1, 4]

Detection Guidance

This vulnerability can be detected by checking the version of the iccDEV library installed on your system. Versions prior to 2.3.1.2 are vulnerable. Additionally, runtime errors related to null pointer dereferences in the CIccTagSparseMatrixArray component, such as those flagged by UndefinedBehaviorSanitizer during processing of ICC profiles, can indicate the presence of this vulnerability. There are no specific network detection commands provided. To check the version, you can use commands like `iccdev --version` or inspect the installed package version depending on your system's package manager. Monitoring logs for runtime errors or crashes related to ICC profile processing tools like `iccRoundTrip` may also help detect exploitation attempts. [1, 4]

Mitigation Strategies

The immediate mitigation step is to upgrade the iccDEV library to version 2.3.1.2 or later, where the vulnerability has been patched. The patch includes improved input validation to prevent null pointer dereferences and runtime errors. Since no workarounds are provided, updating to the fixed version is the recommended action to eliminate the vulnerability. [1, 2, 3]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21503. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart