CVE-2026-21680
Unknown Unknown - Not Provided
NULL Pointer Dereference in iccDEV ICC Profile Processing

Publication date: 2026-01-07

Last updated on: 2026-01-07

Assigner: GitHub, Inc.

Description
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a NULL pointer dereference vulnerability. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-07
Last Modified
2026-01-07
Generated
2026-06-16
AI Q&A
2026-01-07
EPSS Evaluated
2026-06-14
NVD
CVE-2026-21680
EUVD
EUVD-2026-1413
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
internationalcolorconsortium iccdev to 2.3.1.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-21680 is a NULL pointer dereference vulnerability in the iccDEV library, specifically in the function CIccProfile::CheckTagTypes(). The vulnerability occurs because the code dereferences a pointer without checking if it is NULL, leading to a crash when processing malformed ICC color profile tags. This causes a segmentation fault (SEGV) and can result in application crashes or undefined behavior when handling ICC profiles. [1, 2, 3]

Impact Analysis

This vulnerability can cause the application using the iccDEV library to crash due to a NULL pointer dereference, leading to a denial of service. Since the vulnerability can be triggered remotely over the network without privileges, it may disrupt services that process ICC color profiles. The impact is primarily on availability, causing significant loss of service availability. [1, 3]

Detection Guidance

This vulnerability can be detected by testing the iccDEV library's handling of ICC color profiles, specifically by fuzz testing the function CIccProfile::CheckTagTypes() with malformed ICC profile data to trigger a NULL pointer dereference crash. A reproducer input file named poc-crash-cf55e9ca4cd92b948da2034f7da3d4623168a514.txt demonstrates the crash. Detection involves running fuzz tests using tools like libFuzzer combined with MemorySanitizer targeting icc_profile_fuzzer. There are no specific network or system commands provided for detection. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade the iccDEV library to version 2.3.1.2 or later, which contains the patch fixing the NULL pointer dereference vulnerability. No known workarounds are available. Applying the official patch that adds comprehensive NULL pointer checks and improved error handling in the affected functions will prevent crashes and denial of service. [3, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21680. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart