CVE-2026-24410
BaseFortify
Publication date: 2026-01-24
Last updated on: 2026-01-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| color | iccdev | to 2.3.1.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-758 | The product uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-690 | The product does not check for an error after calling a function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference. |
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-24410 is a vulnerability in the iccDEV library, specifically in the function CIccProfileXml::ParseBasic(). It involves improper input validation and unsafe handling of ICC color profile data, leading to a null pointer dereference and undefined behavior. When processing specially crafted XML input, the function may attempt to access a null pointer, causing a segmentation fault and program crash. This occurs because the code does not properly check if certain XML node pointers or their content are null before using them, resulting in unsafe memory access during parsing. [1, 2]
How can this vulnerability impact me? :
This vulnerability can be exploited by attackers to cause denial of service (DoS) by crashing applications that use the vulnerable iccDEV library. Additionally, attackers may manipulate ICC profile data to bypass application logic or potentially achieve arbitrary code execution in downstream image-processing libraries that rely on this parsing. The impact includes application crashes, data manipulation, and security bypasses, which can compromise the integrity and availability of affected systems. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the iccDEV library's XML parsing functionality with specially crafted ICC profile XML files that trigger the null pointer dereference in the CIccProfileXml::ParseBasic() function. For example, using the `iccFromXml` tool with a malformed XML file similar to `npd-ub-runtime-error-null-pointer-IccProfileXml_cpp-L493.xml` can reproduce the crash. Monitoring for segmentation faults or runtime errors (such as those reported by AddressSanitizer) during XML parsing can indicate the presence of the vulnerability. Specific commands would involve running `iccFromXml` with suspicious or fuzzed ICC profile XML inputs and observing for crashes or errors. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the iccDEV library to version 2.3.1.2 or later, where the vulnerability has been fixed by adding proper null pointer checks in the CIccProfileXml::ParseBasic() function. Until the upgrade can be applied, avoid processing untrusted or malformed ICC profile XML data with vulnerable versions of iccDEV. There are no workarounds provided, so patching is the recommended action. [2, 3]