CVE-2026-24856
Published: 28 January 2026
Summary
CVE-2026-24856 is a high-severity Improper Input Validation (CWE-20) vulnerability in Color Iccdev. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 4.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates identifying, reporting, and applying the patch to iccDEV version 2.3.1.2, eliminating the NaN-to-unsigned-short conversion flaw.
Requires validation of ICC profile XML inputs to reject malformed data like NaN values before parsing, preventing memory corruption.
Implements safeguards like address space layout randomization and data execution prevention to mitigate exploitation of the memory corruption from NaN conversion.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability is a memory corruption flaw in a client-side ICC profile parsing library that directly enables arbitrary code execution when a user processes a malicious file; maps to client exploitation (T1203) via malicious file (T1204.002).
NVD Description
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Versions prior to 2.3.1.2 have an undefined behavior issue when floating-point NaN values are converted to unsigned short integer…
more
types during ICC profile XML parsing potentially corrupting memory structures and enabling arbitrary code execution. This vulnerability affects users of the iccDEV library who process ICC color profiles. ICC Profile Injection vulnerabilities arise when user-controllable input is incorporated into ICC profile data or other structured binary blobs in an unsafe manner. Version 2.3.1.2 contains a fix for the issue. No known workarounds are available.
Deeper analysisAI
CVE-2026-24856 is an undefined behavior vulnerability in the iccDEV library, a set of libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions prior to 2.3.1.2 are affected when parsing ICC profile XML, specifically during the conversion of floating-point NaN values to unsigned short integer types. This can corrupt memory structures and potentially enable arbitrary code execution. The issue stems from ICC Profile Injection vulnerabilities where user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs, impacting users of the iccDEV library who process ICC color profiles.
According to the CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), exploitation requires local access with low complexity and no privileges, but user interaction is necessary. An attacker could exploit this by crafting a malicious ICC profile containing NaN values and tricking a user into processing it through an application using the vulnerable iccDEV library. Successful exploitation could lead to arbitrary code execution with the privileges of the processing user, due to memory corruption.
Mitigation is available in iccDEV version 2.3.1.2, which includes a fix for the issue, as detailed in the project's GitHub commit (5e53a5d25923b7794ba44e390e9b35d391f2b9c1), issue tracker (#532), pull request (#541), and security advisory (GHSA-w585-cv3v-c396). No known workarounds exist for earlier versions.
Details
- CWE(s)