CVE-2026-34541: CWE-476: NULL Pointer Dereference in InternationalColorConsortium iccDEV
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, a crafted ICC profile can trigger Undefined Behavior (UB) via a null-pointer member call in CIccCombinedConnectionConditions::CIccCombinedConnectionConditions() (reported by UBSan as “member call on null pointer of type CIccTagSpectralViewingConditions”). The issue is reachable when running iccApplyNamedCmm with -PCC using a malformed .icc profile. This issue has been patched in version 2.3.1.6.
AI Analysis
Technical Summary
CVE-2026-34541 is a NULL pointer dereference vulnerability (CWE-476) in the InternationalColorConsortium's iccDEV library prior to version 2.3.1.6. The flaw arises in the CIccCombinedConnectionConditions constructor due to a null-pointer member call on CIccTagSpectralViewingConditions, which is detected by UBSan as undefined behavior. This can be triggered by processing a maliciously crafted ICC profile with the iccApplyNamedCmm tool using the -PCC flag. The vulnerability can cause application crashes or denial of service. The issue is fixed in iccDEV version 2.3.1.6.
Potential Impact
The vulnerability can cause a denial of service through application crash when a malformed ICC profile is processed. There is no indication of confidentiality or integrity impact. The CVSS v3.1 score is 6.2 (medium severity), reflecting local attack vector with low complexity and no privileges required, resulting in availability impact only.
Mitigation Recommendations
Upgrade iccDEV to version 2.3.1.6 or later, where this NULL pointer dereference vulnerability has been patched. No other mitigations are indicated or required.
CVE-2026-34541: CWE-476: NULL Pointer Dereference in InternationalColorConsortium iccDEV
Description
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, a crafted ICC profile can trigger Undefined Behavior (UB) via a null-pointer member call in CIccCombinedConnectionConditions::CIccCombinedConnectionConditions() (reported by UBSan as “member call on null pointer of type CIccTagSpectralViewingConditions”). The issue is reachable when running iccApplyNamedCmm with -PCC using a malformed .icc profile. This issue has been patched in version 2.3.1.6.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-34541 is a NULL pointer dereference vulnerability (CWE-476) in the InternationalColorConsortium's iccDEV library prior to version 2.3.1.6. The flaw arises in the CIccCombinedConnectionConditions constructor due to a null-pointer member call on CIccTagSpectralViewingConditions, which is detected by UBSan as undefined behavior. This can be triggered by processing a maliciously crafted ICC profile with the iccApplyNamedCmm tool using the -PCC flag. The vulnerability can cause application crashes or denial of service. The issue is fixed in iccDEV version 2.3.1.6.
Potential Impact
The vulnerability can cause a denial of service through application crash when a malformed ICC profile is processed. There is no indication of confidentiality or integrity impact. The CVSS v3.1 score is 6.2 (medium severity), reflecting local attack vector with low complexity and no privileges required, resulting in availability impact only.
Mitigation Recommendations
Upgrade iccDEV to version 2.3.1.6 or later, where this NULL pointer dereference vulnerability has been patched. No other mitigations are indicated or required.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-30T16:31:39.263Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69cc45d1e6bfc5ba1d47e0f2
Added to database: 3/31/2026, 10:08:17 PM
Last enriched: 4/8/2026, 12:07:24 AM
Last updated: 5/15/2026, 4:10:10 AM
Views: 110
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.