CVE-2026-24411

{"id": "CVE-2026-24411", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-24411", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "no"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-26T16:14:27.071690Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 4.2, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "affected": [{"source": "security-advisories@github.com", "affectedData": [{"vendor": "InternationalColorConsortium", "product": "iccDEV", "versions": [{"status": "affected", "version": "< 2.3.1.2"}]}]}], "published": "2026-01-24T02:15:49.223", "references": [{"url": "https://github.com/InternationalColorConsortium/iccDEV/commit/d6d6f51a999d4266ec09347cac7e0930d6e02eec", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/issues/499", "tags": ["Exploit", "Issue Tracking"], "source": "security-advisories@github.com"}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-x53f-7h27-9fc8", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-476"}, {"lang": "en", "value": "CWE-690"}, {"lang": "en", "value": "CWE-758"}]}], "descriptions": [{"lang": "en", "value": "iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have Undefined Behavior in CIccTagXmlSegmentedCurve::ToXml(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2."}, {"lang": "es", "value": "iccDEV proporciona librer\u00edas y herramientas para interactuar con, manipular y aplicar perfiles de gesti\u00f3n de color ICC. Las versiones 2.3.1.1 y anteriores tienen Comportamiento Indefinido en CIccTagXmlSegmentedCurve::ToXml(). Esto ocurre cuando la entrada controlable por el usuario se incorpora de forma insegura en datos de perfiles ICC u otros blobs binarios estructurados. Una explotaci\u00f3n exitosa puede permitir a un atacante realizar DoS, manipular datos, eludir la l\u00f3gica de la aplicaci\u00f3n y la Ejecuci\u00f3n de C\u00f3digo. Este problema ha sido solucionado en la versi\u00f3n 2.3.1.2."}], "lastModified": "2026-06-17T10:23:01.697", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D34CF745-E75A-4F1C-AD7B-9AC1A2E9F680", "versionEndExcluding": "2.3.1.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}