Cyber Posture

CVE-2026-24409

HighPublic PoC

Published: 24 January 2026

Published
24 January 2026
Modified
30 January 2026
KEV Added
Patch
CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
EPSS Score 0.0014 34.5th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have Undefined Behavior and Null Pointer Deference in CIccTagXmlFloatNum<>::ParseXml(). This occurs when user-controllable input is unsafely incorporated into ICC profile data…

more

or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mitigates improper input validation (CWE-20) by requiring validation of user-controllable ICC profile data before parsing to prevent null pointer dereferences and undefined behavior.

SI-2 Flaw Remediation good match
prevent

Ensures timely flaw remediation by requiring upgrades to patched versions like iccDEV 2.3.1.2 to eliminate the null pointer dereference vulnerability.

SI-11 Error Handling good match
prevent

Addresses error handling for unchecked return values (CWE-690) and undefined behavior (CWE-758) during XML parsing to prevent crashes, DoS, and potential exploitation.

Security SummaryAI

CVE-2026-24409 is an Undefined Behavior and Null Pointer Dereference vulnerability in the CIccTagXmlFloatNum<>::ParseXml() function within iccDEV, a set of libraries and tools for interacting with, manipulating, and applying ICC color management profiles. The flaw affects versions 2.3.1.1 and earlier, where user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs, leading to CWE-20 (Improper Input Validation), CWE-476 (NULL Pointer Dereference), CWE-690 (Unchecked Return Value to NULL Pointer Dereference), and CWE-758 ( Reliance on Undefined, Unspecified, or Implementation-Defined Behavior). The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H).

Remote attackers without privileges can exploit this issue over the network with low complexity, but it requires user interaction, such as opening a malicious ICC profile. Successful exploitation enables denial of service through crashes, data manipulation, bypassing application logic, and potentially code execution, with high impact on availability and low impact on integrity.

Mitigation is addressed in the official GitHub security advisory (GHSA-398v-jvcg-p8f3), issue tracker (#484), and fixing commit (9f134c44895edd2edca4bcb97e15c0ba9aa77382), which recommend upgrading to iccDEV version 2.3.1.2.

Details

CWE(s)
CWE-20CWE-476CWE-690CWE-758

Affected Products

color
iccdev
≤ 2.3.1.2

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Vulnerability in ICC profile parsing library enables client-side exploitation of software vulnerabilities for potential code execution (T1203) and application crashes/denial of service via null pointer dereference (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References