CVE-2026-24410
Published: 24 January 2026
Summary
CVE-2026-24410 is a high-severity Improper Input Validation (CWE-20) vulnerability in Color Iccdev. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 34.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation directly addresses this vulnerability by requiring updates to the patched iccDEV version 2.3.1.2.
Information input validation prevents exploitation by ensuring user-controllable ICC profile data is checked for consistency before parsing in CIccProfileXml::ParseBasic().
Secure error handling mitigates undefined behavior and null pointer dereferences by ensuring failures do not lead to DoS, data manipulation, or code execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is exploited remotely via user interaction when parsing maliciously crafted ICC profiles in client applications, directly enabling T1203: Exploitation for Client Execution for potential code execution or denial of service.
NVD Description
iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have Undefined Behavior and Null Pointer Deference in CIccProfileXml::ParseBasic(). This occurs when user-controllable input is unsafely incorporated into ICC profile data…
more
or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2.
Deeper analysisAI
CVE-2026-24410 is an Undefined Behavior and Null Pointer Dereference vulnerability in the CIccProfileXml::ParseBasic() function of iccDEV, a set of libraries and tools for interacting with, manipulating, and applying ICC color management profiles. The flaw affects versions 2.3.1.1 and below, where user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. It is associated with CWEs-20 (Improper Input Validation), CWE-476 (NULL Pointer Dereference), CWE-690 (Unchecked Return Value to NULL Pointer Dereference), and CWE-758 (Reliance on Undefined, Unspecified, or Implementation-Defined Behavior), and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H).
The vulnerability can be exploited remotely by unauthenticated attackers with low complexity, requiring user interaction such as opening a maliciously crafted ICC profile. Exploitation occurs when the affected component parses the input, potentially leading to denial of service, data manipulation, bypassing application logic, or code execution.
Mitigation is available in iccDEV version 2.3.1.2, which addresses the issue. Security advisories recommend updating to this patched version. Key references include the fixing commit at https://github.com/InternationalColorConsortium/iccDEV/commit/3cf522b13832692b107322cd51c4ae5c3a21f366, the issue discussion at https://github.com/InternationalColorConsortium/iccDEV/issues/507, and the GitHub security advisory at https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-398q-4rpv-3v9r.
Details
- CWE(s)