CVE-2026-21507

iccDEV is Vulnerable to Denial of Service via Infinite Loop in CalcProfileID()

CVSS 7.5 HIGHEPSS 0.4%CWE-835

In short

iccDEV, a color management software, has a bug that causes it to loop forever when processing certain profile files, making the application freeze and unusable. An attacker can crash the system by sending a specially crafted color profile.

Technical detail

An infinite loop exists in the CalcProfileID() function in IccProfile.cpp, triggered during ICC color profile processing. The vulnerability requires an attacker to provide a malicious profile file, resulting in denial of service through resource exhaustion and application hang.

Summary generated and translated by AI from the official description.

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have an infinite loop in the IccProfile.cpp function, CalcProfileID. This issue is fixed in version 2.3.1.1.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

InternationalColorConsortium · iccDEV

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/InternationalColorConsortium/iccDEV/commit/3f3ce789d0d2b608c194ed172fa38943519dc198 https://github.com/InternationalColorConsortium/iccDEV/issues/244 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-hgp5-r8m9-8qpj