CVE-2026-30978

High

Published: 10 March 2026

Published

10 March 2026

Modified

13 March 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0002 5.3th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-30978 is a high-severity Use After Free (CWE-416) vulnerability in Color Iccdev. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 5.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely patching of the heap-use-after-free flaw in iccDEV by updating to version 2.3.1.5 to eliminate the vulnerability.

SI-16 Memory Protection partial match

prevent

Provides memory protection safeguards like ASLR and DEP to mitigate exploitation of the use-after-free leading to invalid vptr dereference.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Enables vulnerability scanning to identify the presence of vulnerable iccDEV versions prior to exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Heap use-after-free in client-side ICC profile library enables exploitation for code execution on client apps (T1203) and application crashes for DoS (T1499.004); local vector with UI:R and high CIA impact support these mappings but full RCE not explicitly confirmed.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a heap-use-after-free in CIccCmm::AddXform() causing invalid vptr dereference and crash. This vulnerability is fixed in 2.3.1.5.

Deeper analysisAI

CVE-2026-30978 is a heap-use-after-free vulnerability in iccDEV, a set of libraries and tools for working with ICC color management profiles. The flaw occurs in the CIccCmm::AddXform() function in versions prior to 2.3.1.5, leading to an invalid vptr dereference and application crash. It is linked to CWEs-416 (Use After Free), CWE-672, and CWE-825, with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

The vulnerability can be exploited by a local attacker with no privileges required, though it demands low-complexity attacks and user interaction. Successful exploitation enables high-impact effects on confidentiality, integrity, and availability, including potential denial of service through crashes and the possibility of broader code execution as indicated by the CVSS metrics.

Mitigation is available in iccDEV version 2.3.1.5, which addresses the heap-use-after-free issue. Security advisories recommend updating to this patched release. Key resources include the GitHub security advisory (GHSA-97mf-f6r7-q9q4), issue #612, pull request #616, and release notes for v2.3.1.5.

Details

CWE(s): CWE-416 CWE-672 CWE-825

Affected Products

color

iccdev

≤ 2.3.1.5

CVEs Like This One

CVE-2026-24409Same product: Color Iccdev

CVE-2026-24404Same product: Color Iccdev

CVE-2026-21486Same product: Color Iccdev

CVE-2026-21693Same product: Color Iccdev

CVE-2026-24410Same product: Color Iccdev

CVE-2026-21677Same product: Color Iccdev

CVE-2026-21505Same product: Color Iccdev

CVE-2026-21507Same product: Color Iccdev

CVE-2026-21688Same product: Color Iccdev

CVE-2026-21682Same product: Color Iccdev

References

https://github.com/InternationalColorConsortium/iccDEV/issues/612
Issue Tracking · security-advisories@github.com
https://github.com/InternationalColorConsortium/iccDEV/pull/616
Issue Tracking, Patch · security-advisories@github.com
https://github.com/InternationalColorConsortium/iccDEV/releases/tag/v2.3.1.5
Product · security-advisories@github.com
https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-97mf-f6r7-q9q4
Patch, Vendor Advisory · security-advisories@github.com