CVE-2026-24410 – CVE-2026-24410 is a vulnerability in iccDEV's I... (How to Fix)

Q: What is the severity of CVE-2026-24410?

CVE-2026-24410 has a CVSS score of 7.1 (HIGH). CVE-2026-24410 is a vulnerability in iccDEV's ICC color management profile libraries where improper input validation in CIccProfileXml::ParseBasic() leads to undefined behavior and null pointer dereferences. Attackers can exploit this by providing malicious ICC profile data to cause denial of service, data manipulation, or potentially execute arbitrary code. This affects all applications using iccDEV versions 2.3.1.1 and earlier.

📋 TL;DR

CVE-2026-24410 is a vulnerability in iccDEV's ICC color management profile libraries where improper input validation in CIccProfileXml::ParseBasic() leads to undefined behavior and null pointer dereferences. Attackers can exploit this by providing malicious ICC profile data to cause denial of service, data manipulation, or potentially execute arbitrary code. This affects all applications using iccDEV versions 2.3.1.1 and earlier.

💻 Affected Systems

Products:

iccDEV library and tools

Versions: 2.3.1.1 and below

Operating Systems: All platforms running iccDEV

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using iccDEV to parse ICC profiles is vulnerable

📦 What is this software?

Iccdev by Color

View all CVEs affecting Iccdev →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise

🟠

Likely Case

Application crash (DoS) or data corruption

🟢

If Mitigated

Application crash with limited impact if sandboxed

🌐 Internet-Facing: MEDIUM - Requires user to process malicious ICC profiles, which could come from untrusted sources

🏢 Internal Only: LOW - Requires internal users to process malicious profiles

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting malicious ICC profile data and getting it processed by vulnerable software

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.3.1.2

Vendor Advisory: https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-398q-4rpv-3v9r

Restart Required: Yes

Instructions:

1. Update iccDEV to version 2.3.1.2 or later. 2. Rebuild any applications using iccDEV. 3. Restart affected services.

🔧 Temporary Workarounds

Input validation for ICC profiles

all

Implement strict validation of ICC profile data before processing

Sandbox ICC profile processing

all

Run ICC profile processing in isolated containers or sandboxes

🧯 If You Can't Patch

Implement strict input validation for all ICC profile data
Isolate ICC profile processing to dedicated, restricted systems

🔍 How to Verify

Check if Vulnerable:

Check if application uses iccDEV version 2.3.1.1 or earlier

Check Version:

iccdev --version or check library version in application

Verify Fix Applied:

Verify iccDEV version is 2.3.1.2 or later

📡 Detection & Monitoring

Log Indicators:

Application crashes when processing ICC profiles
Segmentation faults in iccDEV-related processes

Network Indicators:

Unexpected ICC profile uploads to applications

SIEM Query:

Process:iccdev AND (EventID:1000 OR EventID:1001) OR FilePath:*.icc OR FilePath:*.icm

📊 Metadata

CVE ID: CVE-2026-24410

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H

CWE: CWE-20

EPSS Score: 0.11% exploit probability (30.2th percentile)

Published: January 24, 2026

Last Updated: January 30, 2026

🔗 References

https://github.com/InternationalColorConsortium/iccDEV/commit/3cf522b13832692b107322cd51c4ae5c3a21f366 Patch
https://github.com/InternationalColorConsortium/iccDEV/issues/507 Exploit,Issue Tracking
https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-398q-4rpv-3v9r Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24410, you might also want to check these: