CVE-2026-21507
Unknown Unknown - Not Provided
Infinite Loop Vulnerability in iccDEV CalcProfileID Function

Publication date: 2026-01-06

Last updated on: 2026-01-06

Assigner: GitHub, Inc.

Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have an infinite loop in the IccProfile.cpp function, CalcProfileID. This issue is fixed in version 2.3.1.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-06
Last Modified
2026-01-06
Generated
2026-06-16
AI Q&A
2026-01-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-21507
EUVD
EUVD-2026-1147
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
internationalcolorconsortium iccdev to 2.3.1.2 (exc)
internationalcolorconsortium iccdev 2.3.1.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-835 The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability causes a denial of service by triggering an infinite loop, resulting in loss of availability. It does not impact confidentiality or integrity of data. Therefore, it does not directly affect compliance with standards focused on data privacy and protection such as GDPR or HIPAA, which primarily address confidentiality and integrity. However, the availability impact could indirectly affect compliance if system availability is a regulatory requirement. [3]

Executive Summary

This vulnerability is an infinite loop in the CalcProfileID function within the IccProfile.cpp file of the iccDEV library. It occurs when processing certain malformed or fuzzed ICC profile XML files where a read operation returns zero bytes, causing the loop to never exit and the program to hang indefinitely. The issue arises because the loop's exit condition depends on decrementing a length variable by the number of bytes read, and if zero bytes are read, the loop condition never changes. This leads to a denial of service by making the application unresponsive. The problem was fixed by adding a conditional break when zero bytes are read to prevent the infinite loop. [1, 2, 3]

Impact Analysis

This vulnerability can cause a denial of service (DoS) by making the affected application hang indefinitely when processing specially crafted or malformed ICC profile XML files. An attacker can exploit this remotely over the network without any privileges or user interaction, causing the application to become unresponsive and unavailable. It does not affect confidentiality or integrity but results in a complete loss of availability of the affected component. [2, 3]

Detection Guidance

This vulnerability can be detected by monitoring for application hangs or unresponsiveness when processing ICC profile XML files, especially malformed or fuzzed inputs. According to Resource 2, a diagnostic approach involves modifying the code to include a printf statement that outputs a message like 'INFINITE LOOP broken' when the infinite loop condition is triggered, which helps detect the issue during fuzz testing. However, no specific network or system commands are provided to detect this vulnerability automatically. Detection mainly relies on observing the application behavior when handling suspicious ICC XML files. [2]

Mitigation Strategies

The immediate mitigation step is to upgrade the iccDEV library to version 2.3.1.2 or later, where the infinite loop vulnerability in the CalcProfileID function has been fixed (Resource 3). There are no official workarounds or patches other than upgrading. Avoid processing untrusted or malformed ICC profile XML files until the update is applied to prevent denial of service due to application hangs. [3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21507. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart