CVE-2026-21507
Infinite Loop Vulnerability in iccDEV CalcProfileID Function
Publication date: 2026-01-06
Last updated on: 2026-01-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| internationalcolorconsortium | iccdev | to 2.3.1.2 (exc) |
| internationalcolorconsortium | iccdev | 2.3.1.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-835 | The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an infinite loop in the CalcProfileID function within the IccProfile.cpp file of the iccDEV library. It occurs when processing certain malformed or fuzzed ICC profile XML files where a read operation returns zero bytes, causing the loop to never exit and the program to hang indefinitely. The issue arises because the loop's exit condition depends on decrementing a length variable by the number of bytes read, and if zero bytes are read, the loop condition never changes. This leads to a denial of service by making the application unresponsive. The problem was fixed by adding a conditional break when zero bytes are read to prevent the infinite loop. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can cause a denial of service (DoS) by making the affected application hang indefinitely when processing specially crafted or malformed ICC profile XML files. An attacker can exploit this remotely over the network without any privileges or user interaction, causing the application to become unresponsive and unavailable. It does not affect confidentiality or integrity but results in a complete loss of availability of the affected component. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for application hangs or unresponsiveness when processing ICC profile XML files, especially malformed or fuzzed inputs. According to Resource 2, a diagnostic approach involves modifying the code to include a printf statement that outputs a message like 'INFINITE LOOP broken' when the infinite loop condition is triggered, which helps detect the issue during fuzz testing. However, no specific network or system commands are provided to detect this vulnerability automatically. Detection mainly relies on observing the application behavior when handling suspicious ICC XML files. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the iccDEV library to version 2.3.1.2 or later, where the infinite loop vulnerability in the CalcProfileID function has been fixed (Resource 3). There are no official workarounds or patches other than upgrading. Avoid processing untrusted or malformed ICC profile XML files until the update is applied to prevent denial of service due to application hangs. [3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability causes a denial of service by triggering an infinite loop, resulting in loss of availability. It does not impact confidentiality or integrity of data. Therefore, it does not directly affect compliance with standards focused on data privacy and protection such as GDPR or HIPAA, which primarily address confidentiality and integrity. However, the availability impact could indirectly affect compliance if system availability is a regulatory requirement. [3]