Description
iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have Undefined Behavior in CIccTagXmlSegmentedCurve::ToXml(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2.
Published: 2026-01-24
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service and potential code execution
Action: Patch immediately
AI Analysis

Impact

Undefined behavior and a null pointer dereference happen when CIccTagXmlSegmentedCurve::ToXml() processes user-controlled data. The defect arises during the conversion of an ICC profile segment to XML, allowing a crafted profile to cause unpredictable execution paths. The consequence is a denial of service, data corruption, or, in some scenarios where the library passes control to external code, arbitrary code execution.

Affected Systems

International Color Consortium iccDEV versions 2.3.1.1 and prior are affected. The vulnerability is triggered by malformed ICC profile files or other binary blobs that incorporate unsanitized input, impacting any application that utilizes iccDEV for color profile handling such as image editors, print drivers, or similar utilities. The issue is resolved in release 2.3.1.2.

Risk and Exploitability

The CVSS base score of 7.1 indicates high severity, yet the EPSS score is below 1%, suggesting that exploitation has a low current probability and the vulnerability is not listed in CISA’s known exploited vulnerabilities catalog. Exploitation is likely limited to environments where an attacker can supply or influence ICC profile data processed by iccDEV, potentially requiring local or application-level access. The risk to affected systems is significant because malformed input can trigger a crash or enable code execution depending on how the library interacts with application callbacks.

Generated by OpenCVE AI on April 18, 2026 at 02:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade iccDEV to version 2.3.1.2 or later.
  • If an upgrade is delayed, limit ICC profile loading to trusted sources and perform strict validation before processing the profile data.
  • Operate applications that use iccDEV in constrained or sandboxed environments to restrict the impact of potential code execution.

Generated by OpenCVE AI on April 18, 2026 at 02:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 30 Jan 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Color
Color iccdev
CPEs cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*
Vendors & Products Color
Color iccdev

Mon, 26 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Internationalcolorconsortium
Internationalcolorconsortium iccdev
Vendors & Products Internationalcolorconsortium
Internationalcolorconsortium iccdev

Sat, 24 Jan 2026 02:00:00 +0000

Type Values Removed Values Added
Description iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have Undefined Behavior in CIccTagXmlSegmentedCurve::ToXml(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2.
Title iccDEV has Undefined Behavior and Null Pointer Deference in CIccTagXmlSegmentedCurve::ToXml()
Weaknesses CWE-20
CWE-476
CWE-690
CWE-758
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H'}

Subscriptions

Color Iccdev
Internationalcolorconsortium Iccdev
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-26T16:17:29.105Z

Reserved: 2026-01-22T18:19:49.174Z

Link: CVE-2026-24411

cve-icon Vulnrichment

Updated: 2026-01-26T16:14:28.093Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-24T02:15:49.223

Modified: 2026-01-30T18:25:00.933

Link: CVE-2026-24411

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T03:00:10Z

Weaknesses