{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21680", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-02T18:45:27.396Z", "datePublished": "2026-01-07T17:50:09.188Z", "dateUpdated": "2026-01-07T18:09:05.595Z"}, "containers": {"cna": {"title": "iccDEV has Null Pointer Dereference in CIccProfile::CheckTagTypes()", "problemTypes": [{"descriptions": [{"cweId": "CWE-476", "lang": "en", "description": "CWE-476: NULL Pointer Dereference", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-mgp7-w4w3-mhx4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-mgp7-w4w3-mhx4"}, {"name": "https://github.com/InternationalColorConsortium/iccDEV/issues/322", "tags": ["x_refsource_MISC"], "url": "https://github.com/InternationalColorConsortium/iccDEV/issues/322"}, {"name": "https://github.com/InternationalColorConsortium/iccDEV/pull/325", "tags": ["x_refsource_MISC"], "url": "https://github.com/InternationalColorConsortium/iccDEV/pull/325"}], "affected": [{"vendor": "InternationalColorConsortium", "product": "iccDEV", "versions": [{"version": "< 2.3.1.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-07T17:50:09.188Z"}, "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a NULL pointer dereference vulnerability. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available."}], "source": {"advisory": "GHSA-mgp7-w4w3-mhx4", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-07T18:08:08.534617Z", "id": "CVE-2026-21680", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-07T18:09:05.595Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21680", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-07T18:08:08.534617Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-07T18:08:36.198Z"}}], "cna": {"title": "iccDEV has Null Pointer Dereference in CIccProfile::CheckTagTypes()", "source": {"advisory": "GHSA-mgp7-w4w3-mhx4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "InternationalColorConsortium", "product": "iccDEV", "versions": [{"status": "affected", "version": "< 2.3.1.2"}]}], "references": [{"url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-mgp7-w4w3-mhx4", "name": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-mgp7-w4w3-mhx4", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/issues/322", "name": "https://github.com/InternationalColorConsortium/iccDEV/issues/322", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/pull/325", "name": "https://github.com/InternationalColorConsortium/iccDEV/pull/325", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a NULL pointer dereference vulnerability. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-476", "description": "CWE-476: NULL Pointer Dereference"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-07T17:50:09.188Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21680", "state": "PUBLISHED", "dateUpdated": "2026-01-07T18:09:05.595Z", "dateReserved": "2026-01-02T18:45:27.396Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-07T17:50:09.188Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*", "matchCriteriaId": "D34CF745-E75A-4F1C-AD7B-9AC1A2E9F680", "versionEndExcluding": "2.3.1.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a NULL pointer dereference vulnerability. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available."}], "id": "CVE-2026-21680", "lastModified": "2026-01-09T21:34:54.593", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-07T18:15:55.290", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/InternationalColorConsortium/iccDEV/issues/322"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/InternationalColorConsortium/iccDEV/pull/325"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-mgp7-w4w3-mhx4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T08:00:03.377029+00:00", "value": {"mitigation_remediation": ["Upgrade the iccDEV library to version 2.3.1.2 or later, which includes the null pointer dereference fix.", "If an immediate upgrade is not feasible, restrict or validate ICC profile input before it is processed by the application, limiting exposure to untrusted data.", "implement monitoring for unexpected application crashes or memory-related errors linked to ICC profile handling to detect potential exploitation attempts."], "summary": {"action": "Apply Patch", "impact": "Null Pointer Dereference"}, "threat_synthesis": {"affected_systems": "The issue affects all releases of iccDEV from the International Color Consortium before version 2.3.1.2. Users who employ the iccDEV library to parse, manipulate, or apply ICC color profiles are directly impacted. No specific product lineage beyond the library is listed.", "description_and_impact": "The vulnerability causes a null pointer dereference within the iccDEV library when processing ICC color profiles. This defect can trigger a program crash or other undefined behavior such as memory corruption. The flaw is classified as CWE\u2011476, indicating that an object is used without ensuring it is properly instantiated. The primary impact is a potential denial of service for processes that handle color profiles, and in certain contexts may expose vulnerabilities that could be leveraged to manipulate memory structures.", "risk_and_exploitability": "The CVSS score of 6.5 places the vulnerability in the medium severity range. An EPSS score of less than 1% indicates a very low probability of exploitation in the wild. The vulnerability is not present in the CISA Known Exploited Vulnerabilities list. Attackers would need the ability to deliver or influence the processing of ICC profiles in an environment that uses the vulnerable library, which is typically a local or application\u2011level scenario. No workarounds are known, so the recommended action is to update to the patched release."}}}}, "created": "2026-01-08T09:47:54.824625+00:00", "updated": "2026-04-18T08:00:05.800064+00:00", "vendors": ["internationalcolorconsortium", "internationalcolorconsortium$PRODUCT$iccdev"]}