CVE-2026-24407
BaseFortify
Publication date: 2026-01-24
Last updated on: 2026-01-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| color | iccdev | to 2.3.1.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-758 | The product uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-24407 is a high-severity vulnerability in the iccDEV library versions up to 2.3.1.1, specifically in the function icSigCalcOp(). It arises from improper handling of ICC color profiles, where user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. This leads to an ICC Profile Injection flaw, allowing attackers to manipulate ICC tag tables, offsets, or size fields. Exploiting this can cause parsing errors, memory corruption, denial of service, bypassing application logic, or even arbitrary code execution when vulnerable native libraries process the malformed profile. The root cause is improper input validation and reliance on undefined behavior. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to cause denial of service (DoS) in applications using the vulnerable iccDEV library. Additionally, attackers may manipulate data or bypass application logic that relies on ICC profile metadata. In some cases, it can lead to arbitrary code execution if the malformed ICC profiles are processed by vulnerable native libraries, potentially compromising system security and stability. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for runtime errors or warnings related to invalid 'icSigCalcOp' values when processing ICC profiles with iccDEV tools. For example, using the iccRoundTrip tool on suspicious or untrusted ICC profile files may produce repeated warnings about loading invalid 'icSigCalcOp' values, indicating the presence of malformed profiles exploiting this vulnerability. Specific commands include running: `iccRoundTrip <profile.icc>` and observing for warnings about invalid 'icSigCalcOp' values or parsing errors. Additionally, monitoring logs for such warnings or crashes in applications using iccDEV libraries can help detect exploitation attempts. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade the iccDEV library to version 2.3.1.2 or later, where the issue in icSigCalcOp() has been fixed. No workarounds are provided, so applying the patch or updated version is necessary to prevent exploitation. Additionally, avoid processing untrusted or malformed ICC profiles until the update is applied. [1]