Cyber Resilience

CVE-2026-30978

High

Published: 10 March 2026

Published
10 March 2026
Modified
13 March 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0003 9.4th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-30978 is a high-severity Use After Free (CWE-416) vulnerability in Color Iccdev. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 9.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-30978 is a heap-use-after-free vulnerability in iccDEV, a set of libraries and tools for working with ICC color management profiles. The flaw occurs in the CIccCmm::AddXform() function in versions prior to 2.3.1.5, leading to an invalid vptr dereference and application crash. It is linked to CWEs-416 (Use After Free), CWE-672, and CWE-825, with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

The vulnerability can be exploited by a local attacker with no privileges required, though it demands low-complexity attacks and user interaction. Successful exploitation enables high-impact effects on confidentiality, integrity, and availability, including potential denial of service through crashes and the possibility of broader code execution as indicated by the CVSS metrics.

Mitigation is available in iccDEV version 2.3.1.5, which addresses the heap-use-after-free issue. Security advisories recommend updating to this patched release. Key resources include the GitHub security advisory (GHSA-97mf-f6r7-q9q4), issue #612, pull request #616, and release notes for v2.3.1.5.

EU & UK References

Vulnerability details

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a heap-use-after-free in CIccCmm::AddXform() causing invalid vptr dereference and crash. This vulnerability is fixed in 2.3.1.5.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Heap use-after-free in client-side ICC profile library enables exploitation for code execution on client apps (T1203) and application crashes for DoS (T1499.004); local vector with UI:R and high CIA impact support these mappings but full RCE not explicitly confirmed.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-24404Same product: Color Iccdev
CVE-2026-24409Same product: Color Iccdev
CVE-2026-21486Same product: Color Iccdev
CVE-2026-24412Same product: Color Iccdev
CVE-2026-21507Same product: Color Iccdev
CVE-2026-25585Same product: Color Iccdev
CVE-2026-24403Same product: Color Iccdev
CVE-2026-21677Same product: Color Iccdev
CVE-2026-21693Same product: Color Iccdev
CVE-2026-21505Same product: Color Iccdev

Affected Assets

color
iccdev
≤ 2.3.1.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely patching of the heap-use-after-free flaw in iccDEV by updating to version 2.3.1.5 to eliminate the vulnerability.

prevent

Provides memory protection safeguards like ASLR and DEP to mitigate exploitation of the use-after-free leading to invalid vptr dereference.

detect

Enables vulnerability scanning to identify the presence of vulnerable iccDEV versions prior to exploitation.

References