CVE-2026-30978
Published: 10 March 2026
Summary
CVE-2026-30978 is a high-severity Use After Free (CWE-416) vulnerability in Color Iccdev. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 9.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2026-30978 is a heap-use-after-free vulnerability in iccDEV, a set of libraries and tools for working with ICC color management profiles. The flaw occurs in the CIccCmm::AddXform() function in versions prior to 2.3.1.5, leading to an invalid vptr dereference and application crash. It is linked to CWEs-416 (Use After Free), CWE-672, and CWE-825, with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
The vulnerability can be exploited by a local attacker with no privileges required, though it demands low-complexity attacks and user interaction. Successful exploitation enables high-impact effects on confidentiality, integrity, and availability, including potential denial of service through crashes and the possibility of broader code execution as indicated by the CVSS metrics.
Mitigation is available in iccDEV version 2.3.1.5, which addresses the heap-use-after-free issue. Security advisories recommend updating to this patched release. Key resources include the GitHub security advisory (GHSA-97mf-f6r7-q9q4), issue #612, pull request #616, and release notes for v2.3.1.5.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10715
Vulnerability details
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a heap-use-after-free in CIccCmm::AddXform() causing invalid vptr dereference and crash. This vulnerability is fixed in 2.3.1.5.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap use-after-free in client-side ICC profile library enables exploitation for code execution on client apps (T1203) and application crashes for DoS (T1499.004); local vector with UI:R and high CIA impact support these mappings but full RCE not explicitly confirmed.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely patching of the heap-use-after-free flaw in iccDEV by updating to version 2.3.1.5 to eliminate the vulnerability.
Provides memory protection safeguards like ASLR and DEP to mitigate exploitation of the use-after-free leading to invalid vptr dereference.
Enables vulnerability scanning to identify the presence of vulnerable iccDEV versions prior to exploitation.