Unrated severityNVD Advisory· Published Jan 24, 2026· Updated Jan 26, 2026

iccDEV has Undefined Behavior and Null Pointer Deference in CIccProfileXml::ParseBasic()

CVE-2026-24410

Description

iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have Undefined Behavior and Null Pointer Deference in CIccProfileXml::ParseBasic(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2.

Affected products

iccDEV/iccDEVllm-fuzzy
Range: <=2.3.1.1
InternationalColorConsortium/iccDEVv5
Range: < 2.3.1.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/InternationalColorConsortium/iccDEV/commit/3cf522b13832692b107322cd51c4ae5c3a21f366mitrex_refsource_MISC
github.com/InternationalColorConsortium/iccDEV/issues/507mitrex_refsource_MISC
github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-398q-4rpv-3v9rmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000