CVE-2026-24405

iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have a Heap Buffer Overflow vulnerability in CIccMpeCalculator::Read(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/InternationalColorConsortium/iccDEV/commit/d22fc174866e2521f8a5f9393fab5be306329f62	Patch
https://github.com/InternationalColorConsortium/iccDEV/issues/479	Exploit Issue Tracking
https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-2r5c-5w66-47vv	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*

History

17 Jun 2026, 10:23

Type	Values Removed	Values Added
Summary		(es) iccDEV proporciona librerías y herramientas para interactuar con, manipular y aplicar perfiles de gestión de color ICC. Las versiones 2.3.1.1 e inferiores tienen una vulnerabilidad de desbordamiento de búfer de montón en CIccMpeCalculator::Read(). Esto ocurre cuando la entrada controlable por el usuario se incorpora de forma insegura en datos de perfil ICC u otros blobs binarios estructurados. La explotación exitosa puede permitir a un atacante realizar DoS, manipular datos, eludir la lógica de la aplicación y la ejecución de código. Este problema ha sido corregido en la versión 2.3.1.2.

30 Jan 2026, 18:24

Type	Values Removed	Values Added
CPE		cpe:2.3:a:color:iccdev::::::::
First Time		Color Color iccdev
References	~~() https://github.com/InternationalColorConsortium/iccDEV/commit/d22fc174866e2521f8a5f9393fab5be306329f62 -~~	() https://github.com/InternationalColorConsortium/iccDEV/commit/d22fc174866e2521f8a5f9393fab5be306329f62 - Patch
References	~~() https://github.com/InternationalColorConsortium/iccDEV/issues/479 -~~	() https://github.com/InternationalColorConsortium/iccDEV/issues/479 - Exploit, Issue Tracking
References	~~() https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-2r5c-5w66-47vv -~~	() https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-2r5c-5w66-47vv - Patch, Vendor Advisory

24 Jan 2026, 01:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-24 01:15

Updated : 2026-06-17 10:23

NVD link : CVE-2026-24405

Mitre link : CVE-2026-24405

CVE.ORG link : CVE-2026-24405

JSON object : View

Products Affected

color

iccdev

CWE

CWE-20

Improper Input Validation

CWE-122

Heap-based Buffer Overflow

8.8 /10