CVE-2026-21507
Unknown Unknown - Not Provided

Infinite Loop Vulnerability in iccDEV CalcProfileID Function

Vulnerability report for CVE-2026-21507, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-06

Last updated on: 2026-01-06

Assigner: GitHub, Inc.

Description

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have an infinite loop in the IccProfile.cpp function, CalcProfileID. This issue is fixed in version 2.3.1.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-06
Last Modified
2026-01-06
Generated
2026-07-06
AI Q&A
2026-01-06
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
internationalcolorconsortium iccdev to 2.3.1.2 (exc)
internationalcolorconsortium iccdev 2.3.1.2

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-835 The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability causes a denial of service by triggering an infinite loop, resulting in loss of availability. It does not impact confidentiality or integrity of data. Therefore, it does not directly affect compliance with standards focused on data privacy and protection such as GDPR or HIPAA, which primarily address confidentiality and integrity. However, the availability impact could indirectly affect compliance if system availability is a regulatory requirement. [3]

Executive Summary

This vulnerability is an infinite loop in the CalcProfileID function within the IccProfile.cpp file of the iccDEV library. It occurs when processing certain malformed or fuzzed ICC profile XML files where a read operation returns zero bytes, causing the loop to never exit and the program to hang indefinitely. The issue arises because the loop's exit condition depends on decrementing a length variable by the number of bytes read, and if zero bytes are read, the loop condition never changes. This leads to a denial of service by making the application unresponsive. The problem was fixed by adding a conditional break when zero bytes are read to prevent the infinite loop. [1, 2, 3]

Impact Analysis

This vulnerability can cause a denial of service (DoS) by making the affected application hang indefinitely when processing specially crafted or malformed ICC profile XML files. An attacker can exploit this remotely over the network without any privileges or user interaction, causing the application to become unresponsive and unavailable. It does not affect confidentiality or integrity but results in a complete loss of availability of the affected component. [2, 3]

Detection Guidance

This vulnerability can be detected by monitoring for application hangs or unresponsiveness when processing ICC profile XML files, especially malformed or fuzzed inputs. According to Resource 2, a diagnostic approach involves modifying the code to include a printf statement that outputs a message like 'INFINITE LOOP broken' when the infinite loop condition is triggered, which helps detect the issue during fuzz testing. However, no specific network or system commands are provided to detect this vulnerability automatically. Detection mainly relies on observing the application behavior when handling suspicious ICC XML files. [2]

Mitigation Strategies

The immediate mitigation step is to upgrade the iccDEV library to version 2.3.1.2 or later, where the infinite loop vulnerability in the CalcProfileID function has been fixed (Resource 3). There are no official workarounds or patches other than upgrading. Avoid processing untrusted or malformed ICC profile XML files until the update is applied to prevent denial of service due to application hangs. [3]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21507. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart