Login Sign Up

CVE-2026-24404

7.1 HIGH
Denial of Service

📋 TL;DR

A null pointer dereference vulnerability in iccDEV's CIccXmlArrayType() function allows attackers to cause denial of service, manipulate data, bypass application logic, or potentially execute arbitrary code by providing malicious ICC profile data. This affects all users of iccDEV libraries and tools version 2.3.1.1 and below. The vulnerability is triggered when processing user-controllable input incorporated into ICC profiles or structured binary blobs.

💻 Affected Systems

Products:
  • iccDEV libraries and tools
Versions: 2.3.1.1 and below
Operating Systems: All platforms running iccDEV
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using iccDEV to parse ICC color profiles is affected

📦 What is this software?

Iccdev by Color

View all CVEs affecting Iccdev →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise

🟠

Likely Case

Denial of service or data manipulation affecting color profile processing

🟢

If Mitigated

Application crash with limited data corruption

🌐 Internet-Facing: MEDIUM - Applications processing untrusted ICC profiles from external sources are vulnerable
🏢 Internal Only: LOW - Internal systems processing trusted ICC profiles have reduced exposure

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires crafting malicious ICC profile data and triggering parsing

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.3.1.2

Vendor Advisory: https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-hqfg-45jp-hp9f

Restart Required: No

Instructions:

1. Update iccDEV to version 2.3.1.2 or later. 2. Recompile any applications using iccDEV libraries. 3. Replace existing iccDEV installations with patched version.

🔧 Temporary Workarounds

Input validation for ICC profiles

all

Implement strict validation of ICC profile data before processing

Sandbox ICC profile processing

all

Isolate ICC profile parsing in restricted environments

🧯 If You Can't Patch

  • Implement strict input validation for all ICC profile data
  • Restrict processing of untrusted ICC profiles to isolated environments

🔍 How to Verify

Check if Vulnerable:

Check iccDEV version: if version ≤ 2.3.1.1, system is vulnerable

Check Version:

iccdev --version or check library version in application

Verify Fix Applied:

Verify iccDEV version is ≥ 2.3.1.2 and test with known malicious ICC profiles

📡 Detection & Monitoring

Log Indicators:

  • Application crashes during ICC profile processing
  • Unexpected memory access errors in color management modules

Network Indicators:

  • Unusual ICC profile uploads to applications
  • Multiple failed ICC processing attempts

SIEM Query:

search 'application crash' AND 'icc' OR 'color profile'

📊 Metadata

CVE ID: CVE-2026-24404
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
CWE: CWE-20
EPSS Score: 0.11% exploit probability (30.2th percentile)
Published: January 24, 2026
Last Updated: January 30, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24404, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2024-3400 10.0

CVE-2024-3400 is a critical command injection vulnerability in Palo Alto Networks PAN-OS GlobalProte...

Same vulnerability type (CWE-20)
CVE-2023-42802 10.0

This critical vulnerability in GLPI allows attackers to upload malicious PHP files to unauthorized d...

Same vulnerability type (CWE-20)