CVE-2026-24407

HighPublic PoC

Published: 24 January 2026

Published

24 January 2026

Modified

30 January 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H

EPSS Score 0.0017 37.7th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have Undefined Behavior in icSigCalcOp(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary…

blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates the CWE-20 improper input validation of user-controllable input incorporated into ICC profile data, preventing undefined behavior exploitation.

SI-2 Flaw Remediation good match

prevent

Requires timely patching of the icSigCalcOp() flaw by updating to iccDEV version 2.3.1.2, eliminating the vulnerability.

SI-11 Error Handling partial match

prevent

Ensures undefined behavior from malformed ICC profiles is handled securely to limit DoS, data manipulation, or code execution impacts.

Security SummaryAI

CVE-2026-24407 is an Undefined Behavior vulnerability in the icSigCalcOp() function within iccDEV, a set of libraries and tools for interacting with, manipulating, and applying ICC color management profiles. The flaw affects versions 2.3.1.1 and earlier, where user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs, leading to CWE-20 (Improper Input Validation) and CWE-758 (Reliance on Undefined, Unspecified, or Implementation-Defined Behavior). The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H), indicating high availability impact with low integrity impact.

Attackers can exploit this vulnerability remotely over a network with low complexity and no privileges required, but it necessitates user interaction, such as convincing a victim to process a malicious ICC profile. Successful exploitation may enable denial of service (DoS), data manipulation, bypassing application logic, or even code execution, depending on the context of the affected software parsing the malformed profile.

Mitigation is available via an update to iccDEV version 2.3.1.2, which addresses the issue as detailed in the project's GitHub security advisory (GHSA-m6gx-93cp-4855), related issue (#481), and fixing commit (881802931a71c4b0dfc28bc80ee55b2cb84dab90). Security practitioners should advise clients using iccDEV-dependent applications, such as image processing tools, to apply the patch promptly and validate ICC profiles from untrusted sources.

Details

CWE(s): CWE-20 CWE-758

Affected Products

color

iccdev

≤ 2.3.1.2

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

The vulnerability in iccDEV allows code execution or DoS via processing a malicious ICC profile in client applications, directly mapping to Exploitation for Client Execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/InternationalColorConsortium/iccDEV/commit/881802931a71c4b0dfc28bc80ee55b2cb84dab90
Patch · security-advisories@github.com
https://github.com/InternationalColorConsortium/iccDEV/issues/481
Exploit, Issue Tracking · security-advisories@github.com
https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-m6gx-93cp-4855
Patch, Vendor Advisory · security-advisories@github.com