CVE-2026-24409

HighPublic PoC

Published: 24 January 2026

Published

24 January 2026

Modified

30 January 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H

EPSS Score 0.0014 34.5th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24409 is a high-severity Improper Input Validation (CWE-20) vulnerability in Color Iccdev. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 34.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates improper input validation (CWE-20) by requiring validation of user-controllable ICC profile data before parsing to prevent null pointer dereferences and undefined behavior.

SI-2 Flaw Remediation good match

prevent

Ensures timely flaw remediation by requiring upgrades to patched versions like iccDEV 2.3.1.2 to eliminate the null pointer dereference vulnerability.

SI-11 Error Handling good match

prevent

Addresses error handling for unchecked return values (CWE-690) and undefined behavior (CWE-758) during XML parsing to prevent crashes, DoS, and potential exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Vulnerability in ICC profile parsing library enables client-side exploitation of software vulnerabilities for potential code execution (T1203) and application crashes/denial of service via null pointer dereference (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have Undefined Behavior and Null Pointer Deference in CIccTagXmlFloatNum<>::ParseXml(). This occurs when user-controllable input is unsafely incorporated into ICC profile data…

or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2.

Deeper analysisAI

CVE-2026-24409 is an Undefined Behavior and Null Pointer Dereference vulnerability in the CIccTagXmlFloatNum<>::ParseXml() function within iccDEV, a set of libraries and tools for interacting with, manipulating, and applying ICC color management profiles. The flaw affects versions 2.3.1.1 and earlier, where user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs, leading to CWE-20 (Improper Input Validation), CWE-476 (NULL Pointer Dereference), CWE-690 (Unchecked Return Value to NULL Pointer Dereference), and CWE-758 ( Reliance on Undefined, Unspecified, or Implementation-Defined Behavior). The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H).

Remote attackers without privileges can exploit this issue over the network with low complexity, but it requires user interaction, such as opening a malicious ICC profile. Successful exploitation enables denial of service through crashes, data manipulation, bypassing application logic, and potentially code execution, with high impact on availability and low impact on integrity.

Mitigation is addressed in the official GitHub security advisory (GHSA-398v-jvcg-p8f3), issue tracker (#484), and fixing commit (9f134c44895edd2edca4bcb97e15c0ba9aa77382), which recommend upgrading to iccDEV version 2.3.1.2.

Details

CWE(s): CWE-20 CWE-476 CWE-690 CWE-758

Affected Products

color

iccdev

≤ 2.3.1.2

CVEs Like This One

CVE-2026-24404Same product: Color Iccdev

CVE-2026-24410Same product: Color Iccdev

CVE-2026-24411Same product: Color Iccdev

CVE-2026-21677Same product: Color Iccdev

CVE-2026-24407Same product: Color Iccdev

CVE-2026-30978Same product: Color Iccdev

CVE-2026-21688Same product: Color Iccdev

CVE-2026-21686Same product: Color Iccdev

CVE-2026-21684Same product: Color Iccdev

CVE-2026-21685Same product: Color Iccdev

References

https://github.com/InternationalColorConsortium/iccDEV/commit/9f134c44895edd2edca4bcb97e15c0ba9aa77382
Patch · security-advisories@github.com
https://github.com/InternationalColorConsortium/iccDEV/issues/484
Exploit, Issue Tracking · security-advisories@github.com
https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-398v-jvcg-p8f3
Patch, Vendor Advisory · security-advisories@github.com