CVE-2026-24410

iccDEV has Undefined Behavior and Null Pointer Deference in CIccProfileXml::ParseBasic()

CVSS 7.1 HIGHEPSS 0.3%CWE-20 CWE-476 CWE-690 CWE-758

In short

iccDEV's color profile library crashes or behaves unpredictably when processing malformed ICC profile files, allowing attackers to disrupt the application or potentially execute code by crafting a specially designed profile file.

Technical detail

A null pointer dereference vulnerability exists in CIccProfileXml::ParseBasic() when parsing untrusted ICC profile input; exploitation via malicious binary profile data may result in denial of service, information disclosure, data corruption, or arbitrary code execution depending on memory state and application context.

Summary generated and translated by AI from the official description.

iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have Undefined Behavior and Null Pointer Deference in CIccProfileXml::ParseBasic(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H

Affected products

InternationalColorConsortium · iccDEV

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/InternationalColorConsortium/iccDEV/commit/3cf522b13832692b107322cd51c4ae5c3a21f366 https://github.com/InternationalColorConsortium/iccDEV/issues/507 https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-398q-4rpv-3v9r