CVE-2026-24406

HighPublic PoC

Published: 24 January 2026

Published

24 January 2026

Modified

30 January 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0014 34.3th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have a Heap Buffer Overflow vulnerability in CIccTagNamedColor2::SetSize(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or…

other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2.

Mitigating Controls (NIST 800-53 r5)AI

SI-16 Memory Protection good match

prevent

Implements memory protection safeguards like address space layout randomization and stack guards to prevent heap buffer overflows during processing of untrusted ICC profile data.

SI-10 Information Input Validation good match

prevent

Requires validation of user-controllable inputs such as ICC profile data to ensure proper size and structure before incorporation into binary blobs, directly addressing CWE-20 improper input validation.

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and patching of flaws like the heap buffer overflow in iccDEV versions 2.3.1.1 and below, aligning with the vendor fix in 2.3.1.2.

Security SummaryAI

CVE-2026-24406 is a Heap Buffer Overflow vulnerability in the iccDEV library and tools, which are used for interacting with, manipulating, and applying ICC color management profiles. The flaw resides in the CIccTagNamedColor2::SetSize() function and affects versions 2.3.1.1 and below. It arises when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs, as associated with CWE-20 (Improper Input Validation) and CWE-122 (Heap-based Buffer Overflow).

The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating it is exploitable over the network with low attack complexity, no privileges, and user interaction required, such as opening a malicious ICC profile. Remote attackers can leverage specially crafted input to trigger the overflow, potentially achieving denial of service, data manipulation, bypassing application logic, or arbitrary code execution in applications that process ICC profiles via iccDEV.

The vulnerability has been addressed in iccDEV version 2.3.1.2. Mitigation involves updating to this patched release. Additional details are available in the GitHub security advisory (GHSA-h9h3-45cm-j95f), the related issue tracker (issues/480), and the fixing commit (90c71cba2c563b1f5dc84197f827540d1baaea67).

Details

CWE(s): CWE-20 CWE-122

Affected Products

color

iccdev

≤ 2.3.1.2

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Heap buffer overflow in iccDEV library enables arbitrary code execution via malicious ICC profiles processed by client applications, directly facilitating T1203: Exploitation for Client Execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/InternationalColorConsortium/iccDEV/commit/90c71cba2c563b1f5dc84197f827540d1baaea67
Patch · security-advisories@github.com
https://github.com/InternationalColorConsortium/iccDEV/issues/480
Exploit, Issue Tracking · security-advisories@github.com
https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-h9h3-45cm-j95f
Patch, Vendor Advisory · security-advisories@github.com