Cyber Posture

CVE-2026-24411

HighPublic PoC

Published: 24 January 2026

Published
24 January 2026
Modified
30 January 2026
KEV Added
Patch
CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
EPSS Score 0.0017 37.7th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have Undefined Behavior in CIccTagXmlSegmentedCurve::ToXml(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary…

more

blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mandates timely patching of the specific undefined behavior flaw in iccDEV versions <=2.3.1.1, as fixed in 2.3.1.2.

SI-10 Information Input Validation good match
prevent

Enforces validation of user-controllable ICC profile inputs to block malformed data causing improper input handling and UB in CIccTagXmlSegmentedCurve::ToXml().

SI-16 Memory Protection partial match
prevent

Provides memory safeguards against exploitation of UB, NULL pointer dereferences, and potential code execution from malformed ICC profiles.

Security SummaryAI

CVE-2026-24411 is an Undefined Behavior vulnerability in the iccDEV libraries and tools, which are used for interacting with, manipulating, and applying ICC color management profiles. The issue resides in the CIccTagXmlSegmentedCurve::ToXml() function and affects versions 2.3.1.1 and prior. It arises when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs, leading to potential exploitation. The vulnerability is rated with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H) and is associated with CWEs 20 (Improper Input Validation), 476 (NULL Pointer Dereference), 690 (Unchecked Return Value to NULL Pointer Dereference), and 758 ( Reliance on Undefined, Unspecified, or Implementation-Defined Behavior).

Remote attackers with no privileges can exploit this vulnerability over the network with low complexity, but it requires user interaction, such as opening a malicious ICC profile. Successful exploitation could result in denial of service (high availability impact), data manipulation (low integrity impact), bypassing application logic, or even code execution, depending on the context of the affected software processing the profile.

Mitigation is available via an update to iccDEV version 2.3.1.2, as detailed in the project's GitHub security advisory (GHSA-x53f-7h27-9fc8), issue tracker (#499), and the fixing commit (d6d6f51a999d4266ec09347cac7e0930d6e02eec). Security practitioners should advise users of affected applications to apply this patch promptly and validate ICC profiles from untrusted sources.

Details

CWE(s)
CWE-20CWE-476CWE-690CWE-758

Affected Products

color
iccdev
≤ 2.3.1.2

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
attack.mitre.org →
Why these techniques?

Vulnerability exploited remotely via user interaction with malicious ICC profile file, enabling client-side exploitation for code execution, DoS, or data manipulation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References