Cyber Posture

CVE-2026-24410

HighPublic PoC

Published: 24 January 2026

Published
24 January 2026
Modified
30 January 2026
KEV Added
Patch
CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
EPSS Score 0.0014 34.5th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have Undefined Behavior and Null Pointer Deference in CIccProfileXml::ParseBasic(). This occurs when user-controllable input is unsafely incorporated into ICC profile data…

more

or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Timely flaw remediation directly addresses this vulnerability by requiring updates to the patched iccDEV version 2.3.1.2.

SI-10 Information Input Validation good match
prevent

Information input validation prevents exploitation by ensuring user-controllable ICC profile data is checked for consistency before parsing in CIccProfileXml::ParseBasic().

SI-11 Error Handling partial match
prevent

Secure error handling mitigates undefined behavior and null pointer dereferences by ensuring failures do not lead to DoS, data manipulation, or code execution.

Security SummaryAI

CVE-2026-24410 is an Undefined Behavior and Null Pointer Dereference vulnerability in the CIccProfileXml::ParseBasic() function of iccDEV, a set of libraries and tools for interacting with, manipulating, and applying ICC color management profiles. The flaw affects versions 2.3.1.1 and below, where user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. It is associated with CWEs-20 (Improper Input Validation), CWE-476 (NULL Pointer Dereference), CWE-690 (Unchecked Return Value to NULL Pointer Dereference), and CWE-758 (Reliance on Undefined, Unspecified, or Implementation-Defined Behavior), and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H).

The vulnerability can be exploited remotely by unauthenticated attackers with low complexity, requiring user interaction such as opening a maliciously crafted ICC profile. Exploitation occurs when the affected component parses the input, potentially leading to denial of service, data manipulation, bypassing application logic, or code execution.

Mitigation is available in iccDEV version 2.3.1.2, which addresses the issue. Security advisories recommend updating to this patched version. Key references include the fixing commit at https://github.com/InternationalColorConsortium/iccDEV/commit/3cf522b13832692b107322cd51c4ae5c3a21f366, the issue discussion at https://github.com/InternationalColorConsortium/iccDEV/issues/507, and the GitHub security advisory at https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-398q-4rpv-3v9r.

Details

CWE(s)
CWE-20CWE-476CWE-690CWE-758

Affected Products

color
iccdev
≤ 2.3.1.2

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
Why these techniques?

The vulnerability is exploited remotely via user interaction when parsing maliciously crafted ICC profiles in client applications, directly enabling T1203: Exploitation for Client Execution for potential code execution or denial of service.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References