Description
iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have Undefined Behavior and Null Pointer Deference in CIccProfileXml::ParseBasic(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2.
Published: 2026-01-24
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service, Data Manipulation, Possible Code Execution
Action: Apply Patch
AI Analysis

Impact

A flaw in iccDEV’s CIccProfileXml::ParseBasic() function causes undefined behavior and null‑pointer dereferences when user‑controlled ICC profile data or other structured binary blobs are processed. The improper handling can lead to program crashes, corrupt or tampered data, bypass of application logic, and in extreme cases remote code execution within the process. The vulnerability is driven by maliciously crafted profile files or blobs.

Affected Systems

The issue affects the InternationalColorConsortium iccDEV libraries and tools up to and including version 2.3.1.1. Versions thereafter are unaffected.

Risk and Exploitability

With an overall CVSS score of 7.1, the vulnerability is considered moderately high. The EPSS score is under 1 %, indicating a low probability of exploitation in the wild. It is not listed in CISA’s Known Exploited Vulnerabilities catalog. Exploitation requires an attacker who can supply crafted ICC profiles or binary data, for which the attack vector is inferred to be local or any environment where user input can reach the parsing routine.

Generated by OpenCVE AI on April 18, 2026 at 02:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade iccDEV to version 2.3.1.2 or later, which removes the vulnerability.
  • If an upgrade is not immediately possible, restrict or validate all ICC profile inputs before they reach CIccProfileXml::ParseBasic() to avoid null dereference and undefined behavior.
  • Monitor application logs for abnormal crashes or data integrity issues that may indicate attempted exploitation.

Generated by OpenCVE AI on April 18, 2026 at 02:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 30 Jan 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Mon, 26 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Sat, 24 Jan 2026 02:00:00 +0000

Type Values Removed Values Added
Description iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have Undefined Behavior and Null Pointer Deference in CIccProfileXml::ParseBasic(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2.
Title iccDEV has Undefined Behavior and Null Pointer Deference in CIccProfileXml::ParseBasic()
Weaknesses CWE-20
CWE-476
CWE-690
CWE-758
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-26T16:17:34.201Z

Reserved: 2026-01-22T18:19:49.174Z

Link: CVE-2026-24410

cve-icon Vulnrichment

Updated: 2026-01-26T16:14:30.268Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-24T02:15:49.080

Modified: 2026-01-30T18:24:57.203

Link: CVE-2026-24410

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T03:00:10Z

Weaknesses