CVE-2026-24404
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-24

Last updated on: 2026-01-30

Assigner: GitHub, Inc.

Description
iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. In versions 2.3.1.1 and below, CIccXmlArrayType() contains a Null Pointer Dereference and Undefined Behavior vulnerability. This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-24
Last Modified
2026-01-30
Generated
2026-06-16
AI Q&A
2026-01-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24404
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
color iccdev to 2.3.1.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-690 The product does not check for an error after calling a function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference.
CWE-758 The product uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-24404 is a vulnerability in the iccDEV library, which handles ICC color management profiles. The issue arises from unsafe incorporation of user-controllable input into ICC profile data or other structured binary blobs, leading to a Null Pointer Dereference and Undefined Behavior. This can cause crashes or unpredictable behavior when parsing ICC profiles. The vulnerability involves improper input validation and unsafe handling of XML node pointers, which can be exploited by specially crafted ICC profiles. [1, 3]

Impact Analysis

Exploitation of this vulnerability can allow an attacker to cause a denial of service (DoS) by crashing the application processing ICC profiles. Additionally, it may enable manipulation of data, bypassing of application logic, and potentially arbitrary code execution when vulnerable native libraries process malformed ICC profiles. This can compromise the integrity and availability of systems using affected versions of iccDEV. [3]

Detection Guidance

This vulnerability can be detected by analyzing the processing of ICC profiles, especially by running tools like iccDumpProfile with verbose output on suspicious or specially crafted ICC profile files. The runtime error manifests as invalid value loads and type confusion during ICC profile parsing, which can be triggered by malformed profiles. Monitoring for crashes or abnormal behavior in applications processing ICC profiles may also indicate exploitation attempts. Specific commands include running iccDumpProfile with verbose flags on ICC profile files to detect runtime errors related to this vulnerability. [2]

Mitigation Strategies

The immediate mitigation step is to upgrade the iccDEV package to version 2.3.1.2 or later, where the vulnerability has been fixed. The fix includes adding null pointer checks to prevent dereferencing and addressing type confusion issues. Since no workarounds are provided, updating to the patched version is essential to prevent exploitation. [3, 1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24404. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart