iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have Undefined Be…

iccDEV, a library for ICC color management profiles, contains a critical vulnerability in versions 2.3.1.1 and below. The vulnerability involves undefined behavior and null pointer dereference in the CIccProfileXml::ParseBasic() function when processing user-controllable input. This occurs when untrusted input is unsafely incorporated into ICC profile data or structured binary data. Successful exploitation can lead to denial of service, data manipulation, application logic bypass, and potentially code execution. The vulnerability has been addressed in version 2.3.1.2 with patches available through the International Color Consortium's GitHub repository.