The vulnerability identified as CVE-2026-34551 affects the InternationalColorConsortium's iccDEV library, specifically versions before 2.3.1.6. iccDEV is widely used for handling ICC color management profiles, which are embedded in various image formats including TIFF. The flaw is a NULL pointer dereference (CWE-476) occurring in the CIccTagLut16::Write() function. This function is responsible for writing LUT16 (Look-Up Table 16-bit) tags within ICC profiles. When iccTiffDump extracts ICC profiles from TIFF images and processes a maliciously crafted profile containing malformed LUT16 tags, the NULL pointer dereference can be triggered. This results in an application crash or denial of service (DoS) condition. The vulnerability requires no privileges or user interaction beyond processing the crafted file, but the attack vector is limited to local or trusted file input scenarios since the attack depends on supplying a malicious ICC profile embedded in a TIFF. The CVSS v3.1 base score is 6.2, reflecting medium severity due to the impact on availability without compromising confidentiality or integrity. The issue has been addressed in iccDEV version 2.3.1.6, and users are advised to upgrade to this or later versions to mitigate the risk. No public exploits or active exploitation have been reported to date.

The primary impact of this vulnerability is denial of service through application crashes when processing malicious ICC profiles embedded in TIFF images. Organizations relying on iccDEV for image processing, color management, or digital asset workflows may experience service interruptions or application instability if exposed to crafted files. This could affect automated image processing pipelines, printing workflows, or any software components that utilize iccDEV libraries. Although the vulnerability does not allow code execution or data compromise, repeated crashes could degrade service availability and reliability. In environments where image files are received from untrusted sources or processed automatically, the risk of accidental or malicious triggering increases. This could lead to operational disruptions, increased support costs, and potential downstream effects on dependent systems. Since the vulnerability requires local or trusted file input, remote exploitation risk is limited unless the software is used in network-facing services that process user-supplied images.

To mitigate this vulnerability, organizations should upgrade iccDEV to version 2.3.1.6 or later where the NULL pointer dereference has been fixed. Additionally, implement strict input validation and sanitization for ICC profiles embedded in TIFF or other image files before processing. Employ sandboxing or process isolation for applications handling untrusted image files to contain potential crashes and prevent broader system impact. Monitor logs and application behavior for signs of crashes related to ICC profile processing. Where possible, restrict the acceptance of image files from untrusted or unauthenticated sources. For automated workflows, incorporate file integrity checks and scanning to detect malformed or suspicious ICC profiles. Finally, maintain an inventory of software components using iccDEV to ensure timely patching and vulnerability management.