Description
iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. In versions 2.3.1.1 and below, CIccXmlArrayType() contains a Null Pointer Dereference and Undefined Behavior vulnerability. This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2.
Published: 2026-01-24
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Code Execution
Action: Immediate Patch
AI Analysis

Impact

A null pointer dereference and undefined behavior in the CIccXmlArrayType function of iccDEV permits maliciously crafted ICC profiles to trigger memory corruption. This flaw can lead to denial of service, data manipulation, logic bypass, and ultimately arbitrary code execution when user-controlled input is parsed by the library.

Affected Systems

The vendor InternationalColorConsortium’s iccDEV library is impacted in versions 2.3.1.1 and earlier. Any application that processes ICC profiles using these releases is vulnerable.

Risk and Exploitability

The CVSS score is 7.1, indicating a medium to high severity, while the EPSS score of less than 1% suggests a low probability of widespread exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to supply a crafted ICC profile to a vulnerable application; the impact is limited to systems that load such files, but code execution could be achieved once the vulnerability is triggered.

Generated by OpenCVE AI on April 18, 2026 at 02:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the iccDEV library to version 2.3.1.2 or later, which patches the null‑pointer dereference and related defects.
  • Restrict the acceptance of ICC profiles to trusted sources and implement strict validation or sandboxing of profile processing to guard against malformed data.
  • If an upgrade is not immediately possible, isolate or quarantine services that consume ICC profile data from untrusted input until a patch can be applied.

Generated by OpenCVE AI on April 18, 2026 at 02:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 30 Jan 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Mon, 26 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Sat, 24 Jan 2026 01:15:00 +0000

Type Values Removed Values Added
Description iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. In versions 2.3.1.1 and below, CIccXmlArrayType() contains a Null Pointer Dereference and Undefined Behavior vulnerability. This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2.
Title iccDEV has Null Pointer Deference and Undefined Behavior in CIccXmlArrayType()
Weaknesses CWE-20
CWE-476
CWE-690
CWE-758
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-26T16:17:43.756Z

Reserved: 2026-01-22T18:19:49.173Z

Link: CVE-2026-24404

cve-icon Vulnrichment

Updated: 2026-01-26T16:14:32.386Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-24T01:15:50.773

Modified: 2026-01-30T18:24:22.337

Link: CVE-2026-24404

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T03:00:10Z

Weaknesses