CVE-2026-24852

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, a heap buffer over-read when the strlen() function attempts to read a non-null-terminated buffer potentially leaking heap memory contents and causing application termination. This vulnerability affects users of the iccDEV library who process ICC color profiles. ICC Profile Injection vulnerabilities arise when user-controllable input is incorporated into ICC profile data or other structured binary blobs in an unsafe manner. Version 2.3.1.2 contains a fix for the issue. No known workarounds are available.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 4.2

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/InternationalColorConsortium/iccDEV/commit/3092499cd4d0775f4a716b999899f9c26f9bc614
https://github.com/InternationalColorConsortium/iccDEV/pull/540
https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-q8g2-mp32-3j7f

Configurations

No configuration.

History

28 Jan 2026, 01:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-28 01:16

Updated : 2026-01-29 16:31

NVD link : CVE-2026-24852

Mitre link : CVE-2026-24852

CVE.ORG link : CVE-2026-24852

JSON object : View

Products Affected

No product.

CWE

CWE-122

Heap-based Buffer Overflow

CWE-125

Out-of-bounds Read

CWE-170

Improper Null Termination

6.1 /10