Unrated severityNVD Advisory· Published Jan 24, 2026· Updated Jan 26, 2026

iccDEV has Null Pointer Deference and Undefined Behavior in CIccXmlArrayType()

CVE-2026-24404

Description

iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. In versions 2.3.1.1 and below, CIccXmlArrayType() contains a Null Pointer Dereference and Undefined Behavior vulnerability. This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2.

Affected products

iccDEV/iccDEVllm-fuzzy
Range: <=2.3.1.1
InternationalColorConsortium/iccDEVv5
Range: < 2.3.1.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/InternationalColorConsortium/iccDEV/commit/cd637eb33f0c8055fa54d8776e00555d3d39ef0cmitrex_refsource_MISC
github.com/InternationalColorConsortium/iccDEV/issues/488mitrex_refsource_MISC
github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-hqfg-45jp-hp9fmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000