CVE-2026-24403

HIGH

iccDEV <2.3.1.1 - Memory Corruption

Title source: llm

Description

iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. In versions 2.3.1.1 and below, an integer overflow vulnerability exists in icValidateStatus CIccProfile::CheckHeader() when user-controllable input is incorporated into profile data unsafely. Tampering with tag tables, offsets, or size fields can trigger parsing errors, memory corruption, or DoS, potentially enabling arbitrary Code Execution or bypassing application logic. This issue has been fixed in version 2.3.1.2.

References (3)

[Patch, Vendor Advisory] https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-ph33-qp8j-5q34

[Exploit, Issue Tracking] https://github.com/InternationalColorConsortium/iccDEV/issues/505

[Patch] https://github.com/InternationalColorConsortium/iccDEV/commits/d993997005449a0a6958e65b057bd25e17dff89

Scores

CVSS v3 7.1

EPSS 0.0019

EPSS Percentile 40.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-190 CWE-20

Status published

Products (1)

color/iccdev < 2.3.1.2

Published Jan 24, 2026

Tracked Since Feb 18, 2026