CVE-2026-34541
Null Pointer Dereference in iccDEV ICC Profile Processing Causes UB
Publication date: 2026-03-31
Last updated on: 2026-04-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| color | iccdev | to 2.3.1.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in iccDEV, a set of libraries and tools for working with ICC color management profiles. Before version 2.3.1.6, a specially crafted ICC profile can cause undefined behavior due to a null-pointer member call in the constructor of CIccCombinedConnectionConditions. This happens when running the iccApplyNamedCmm tool with the -PCC option using a malformed ICC profile.
How can this vulnerability impact me? :
The vulnerability can lead to undefined behavior, which may cause the application to crash or behave unpredictably. According to the CVSS score, it has a high impact on availability (score 6.2 with an impact on availability only), meaning it could cause denial of service or disruption of normal operations when processing malicious ICC profiles.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update iccDEV to version 2.3.1.6 or later, where the issue has been patched.
Avoid running iccApplyNamedCmm with the -PCC option on untrusted or malformed ICC profiles until the update is applied.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.