Description
iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have Undefined Behavior and Null Pointer Deference in CIccTagXmlFloatNum<>::ParseXml(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2.
Published: 2026-01-24
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service and potential code execution
Action: Immediate Patch
AI Analysis

Impact

The flaw is caused by unsafe handling of XML data in CIccTagXmlFloatNum's ParseXml method, leading to undefined behavior and null pointer dereference. The effect can be a program crash or manipulation of data and bypass of application logic, giving an attacker denial‑of‑service, data tampering, or potentially arbitrary code execution. The listed CWEs reflect input validation weaknesses and null pointer usage.

Affected Systems

All installations of InternationalColorConsortium's iccDEV library that are at or below version 2.3.1.1 are vulnerable, regardless of the host platform or usage scenario. Versions 2.3.1.2 and later include the fix and are safe.

Risk and Exploitability

The base CVSS score of 7.1 indicates a medium‑to‑high risk. The EPSS score of less than 1% suggests that exploitation opportunities are currently uncommon, and the vulnerability is not yet listed in the CISA KEV catalog. Nevertheless, the attack surface is active: a crafted ICC profile or other structured binary blob can trigger the parsing routine. Successful exploitation could crash the process or, in constrained environments where memory corruption is exploitable, lead to code execution. Therefore, the vulnerability should be considered exploitable by attackers with sufficient persistence and motivation.

Generated by OpenCVE AI on April 18, 2026 at 15:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade iccDEV to version 2.3.1.2 or later
  • Validate and sanitize ICC profile data before parsing to prevent malformed input from reaching ParseXml
  • If an upgrade is not immediately possible, restrict the library to trusted data sources or run the application in a sandboxed environment

Generated by OpenCVE AI on April 18, 2026 at 15:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 30 Jan 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Mon, 26 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Sat, 24 Jan 2026 02:00:00 +0000

Type Values Removed Values Added
Description iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have Undefined Behavior and Null Pointer Deference in CIccTagXmlFloatNum<>::ParseXml(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2.
Title iccDEV has Undefined Behavior and Null Pointer Deference in CIccTagXmlFloatNum<>::ParseXml()
Weaknesses CWE-20
CWE-476
CWE-690
CWE-758
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-26T17:10:09.299Z

Reserved: 2026-01-22T18:19:49.174Z

Link: CVE-2026-24409

cve-icon Vulnrichment

Updated: 2026-01-26T17:10:04.105Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-24T02:15:48.930

Modified: 2026-01-30T18:24:52.510

Link: CVE-2026-24409

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:15:03Z

Weaknesses