Cyber Resilience

CVE-2026-24407

HighPublic PoC

Published: 24 January 2026

Published
24 January 2026
Modified
30 January 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
EPSS Score 0.0040 31.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-24407 is a high-severity Improper Input Validation (CWE-20) vulnerability in Color Iccdev. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 31.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-24407 is an Undefined Behavior vulnerability in the icSigCalcOp() function within iccDEV, a set of libraries and tools for interacting with, manipulating, and applying ICC color management profiles. The flaw affects versions 2.3.1.1 and earlier, where user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs, leading to CWE-20 (Improper Input Validation) and CWE-758 (Reliance on Undefined, Unspecified, or Implementation-Defined Behavior). The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H), indicating high availability impact with low integrity impact.

Attackers can exploit this vulnerability remotely over a network with low complexity and no privileges required, but it necessitates user interaction, such as convincing a victim to process a malicious ICC profile. Successful exploitation may enable denial of service (DoS), data manipulation, bypassing application logic, or even code execution, depending on the context of the affected software parsing the malformed profile.

Mitigation is available via an update to iccDEV version 2.3.1.2, which addresses the issue as detailed in the project's GitHub security advisory (GHSA-m6gx-93cp-4855), related issue (#481), and fixing commit (881802931a71c4b0dfc28bc80ee55b2cb84dab90). Security practitioners should advise clients using iccDEV-dependent applications, such as image processing tools, to apply the patch promptly and validate ICC profiles from untrusted sources.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have Undefined Behavior in icSigCalcOp(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary…

more

blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

The vulnerability in iccDEV allows code execution or DoS via processing a malicious ICC profile in client applications, directly mapping to Exploitation for Client Execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-21677Same product: Color Iccdev
CVE-2026-24410Same product: Color Iccdev
CVE-2026-21682Same product: Color Iccdev
CVE-2026-24403Same product: Color Iccdev
CVE-2026-24406Same product: Color Iccdev
CVE-2026-24412Same product: Color Iccdev
CVE-2026-21693Same product: Color Iccdev
CVE-2026-21692Same product: Color Iccdev
CVE-2026-21688Same product: Color Iccdev
CVE-2026-22047Same product: Color Iccdev

Affected Assets

color
iccdev
≤ 2.3.1.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CWE-20 improper input validation of user-controllable input incorporated into ICC profile data, preventing undefined behavior exploitation.

prevent

Requires timely patching of the icSigCalcOp() flaw by updating to iccDEV version 2.3.1.2, eliminating the vulnerability.

prevent

Ensures undefined behavior from malformed ICC profiles is handled securely to limit DoS, data manipulation, or code execution impacts.

References