CVE-2026-21680
NULL Pointer Dereference in iccDEV ICC Profile Processing
Publication date: 2026-01-07
Last updated on: 2026-01-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| internationalcolorconsortium | iccdev | to 2.3.1.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-21680 is a NULL pointer dereference vulnerability in the iccDEV library, specifically in the function CIccProfile::CheckTagTypes(). The vulnerability occurs because the code dereferences a pointer without checking if it is NULL, leading to a crash when processing malformed ICC color profile tags. This causes a segmentation fault (SEGV) and can result in application crashes or undefined behavior when handling ICC profiles. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can cause the application using the iccDEV library to crash due to a NULL pointer dereference, leading to a denial of service. Since the vulnerability can be triggered remotely over the network without privileges, it may disrupt services that process ICC color profiles. The impact is primarily on availability, causing significant loss of service availability. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the iccDEV library's handling of ICC color profiles, specifically by fuzz testing the function CIccProfile::CheckTagTypes() with malformed ICC profile data to trigger a NULL pointer dereference crash. A reproducer input file named poc-crash-cf55e9ca4cd92b948da2034f7da3d4623168a514.txt demonstrates the crash. Detection involves running fuzz tests using tools like libFuzzer combined with MemorySanitizer targeting icc_profile_fuzzer. There are no specific network or system commands provided for detection. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the iccDEV library to version 2.3.1.2 or later, which contains the patch fixing the NULL pointer dereference vulnerability. No known workarounds are available. Applying the official patch that adds comprehensive NULL pointer checks and improved error handling in the affected functions will prevent crashes and denial of service. [3, 2]