CVE-2026-24407

iccDEV has Undefined Behavior in icSigCalcOp()

CVSS 7.1 HIGHEPSS 0.4%CWE-20 CWE-758

In short

iccDEV, a color management library, has a flaw in how it processes user input when handling ICC color profiles. An attacker can craft a malicious profile to crash the application, corrupt data, or potentially execute code.

Technical detail

Undefined behavior in icSigCalcOp() function occurs when untrusted user input is unsafely deserialized into ICC profile structures without proper validation (CWE-20). This can lead to out-of-bounds access, integer overflow, or memory corruption, enabling DoS, data tampering, logic bypass, and arbitrary code execution depending on memory layout and application context.

Summary generated and translated by AI from the official description.

iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have Undefined Behavior in icSigCalcOp(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H

Affected products

InternationalColorConsortium · iccDEV

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/InternationalColorConsortium/iccDEV/commit/881802931a71c4b0dfc28bc80ee55b2cb84dab90 https://github.com/InternationalColorConsortium/iccDEV/issues/481 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-m6gx-93cp-4855