CVE-2026-34541 is a vulnerability identified in the iccDEV project maintained by the InternationalColorConsortium, which provides libraries and tools for managing ICC color profiles. The issue is a NULL pointer dereference (CWE-476) occurring in the constructor of the CIccCombinedConnectionConditions class, specifically in the member call on a null pointer of type CIccTagSpectralViewingConditions. This flaw is triggered when processing a specially crafted ICC profile using the iccApplyNamedCmm tool with the -PCC flag. The undefined behavior caused by this dereference results in a crash of the application, effectively causing a denial of service (DoS). The vulnerability affects all versions of iccDEV prior to 2.3.1.6, where the issue has been fixed. The vulnerability requires local access to supply a malformed ICC profile to the tool, does not require privileges, nor user interaction, and does not expose confidentiality or integrity risks. The CVSS v3.1 base score is 6.2, reflecting the medium severity primarily due to the impact on availability and the low complexity of exploitation. No public exploits or active exploitation in the wild have been reported as of now. This vulnerability highlights the risks of processing untrusted ICC profiles in color management workflows and the importance of input validation and robust error handling in such libraries.

The primary impact of CVE-2026-34541 is a denial of service condition caused by application crashes when processing malicious ICC profiles. This can disrupt image processing pipelines, printing workflows, or any system relying on iccDEV for color management, potentially halting operations temporarily. Since the vulnerability does not affect confidentiality or integrity, data leakage or unauthorized modification is not a concern. However, availability disruption can affect organizations that depend on automated color profile handling, such as print service providers, media companies, and graphic design firms. The ease of triggering the crash with crafted ICC files and no need for authentication increases the risk of accidental or intentional disruption. Although no exploits are known in the wild, the vulnerability could be leveraged in targeted attacks to interrupt critical color management processes. Systems that integrate iccDEV into larger software stacks may experience cascading failures if not properly isolated. Overall, the impact is moderate but significant for environments where uptime and reliability of color processing are critical.

To mitigate CVE-2026-34541, organizations should immediately upgrade iccDEV to version 2.3.1.6 or later, where the NULL pointer dereference issue is patched. Additionally, implement strict validation and sanitization of all ICC profiles before processing, especially those obtained from untrusted or external sources. Employ sandboxing or containerization for applications using iccDEV to limit the impact of potential crashes. Monitor logs and application behavior for unexpected terminations related to ICC profile processing. Where possible, restrict the use of the iccApplyNamedCmm tool with the -PCC option to trusted users and environments. Incorporate fuzz testing and static analysis in the development lifecycle to detect similar memory safety issues proactively. Finally, maintain an inventory of systems using iccDEV to ensure timely patch deployment and reduce exposure.