CVE-2026-24856
HIGHiccDEV <2.3.1.2 - RCE
Title source: llmDescription
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Versions prior to 2.3.1.2 have an undefined behavior issue when floating-point NaN values are converted to unsigned short integer types during ICC profile XML parsing potentially corrupting memory structures and enabling arbitrary code execution. This vulnerability affects users of the iccDEV library who process ICC color profiles. ICC Profile Injection vulnerabilities arise when user-controllable input is incorporated into ICC profile data or other structured binary blobs in an unsafe manner. Version 2.3.1.2 contains a fix for the issue. No known workarounds are available.
Scores
CVSS v3
7.8
EPSS
0.0004
EPSS Percentile
10.6%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Classification
CWE
CWE-704
CWE-681
CWE-20
Status
published
Affected Products (1)
color/iccdev
< 2.3.1.2
Timeline
Published
Jan 28, 2026
Tracked Since
Feb 18, 2026