CVE-2026-24856
Last modified
CVE-2026-24856 is a high-severity vulnerability rated 7.8/10 on the CVSS scale. iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Versions prior to 2.3.1.2 have an undefined behavior issue when floating-point NaN values are converted to unsigned short integer types during ICC profile XML parsing potentially corrupting memory structures and enabling arbitrary code execution. EPSS estimates a 0.22% chance of exploitation in the next 30 days.
Description
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Versions prior to 2.3.1.2 have an undefined behavior issue when floating-point NaN values are converted to unsigned short integer types during ICC profile XML parsing potentially corrupting memory structures and enabling arbitrary code execution. This vulnerability affects users of the iccDEV library who process ICC color profiles. ICC Profile Injection vulnerabilities arise when user-controllable input is incorporated into ICC profile data or other structured binary blobs in an unsafe manner. Version 2.3.1.2 contains a fix for the issue. No known workarounds are available.
Metrics
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Color | Iccdev | < 2.3.1.2 |
References
- https://github.com/InternationalColorConsortium/iccDEV/issues/532Exploit, Issue Tracking, Vendor Advisory
- https://github.com/InternationalColorConsortium/iccDEV/pull/541Exploit, Issue Tracking, Patch
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-24856?
How severe is CVE-2026-24856?
How do I fix CVE-2026-24856?
Are you affected by CVE-2026-24856?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST