CVE-2026-24410
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-24

Last updated on: 2026-01-30

Assigner: GitHub, Inc.

Description
iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have Undefined Behavior and Null Pointer Deference in CIccProfileXml::ParseBasic(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-24
Last Modified
2026-01-30
Generated
2026-06-16
AI Q&A
2026-01-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24410
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
color iccdev to 2.3.1.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-690 The product does not check for an error after calling a function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference.
CWE-758 The product uses an API function, data structure, or other entity in a way that relies on properties that are not always guaranteed to hold for that entity.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-24410 is a vulnerability in the iccDEV library, specifically in the function CIccProfileXml::ParseBasic(). It involves improper input validation and unsafe handling of ICC color profile data, leading to a null pointer dereference and undefined behavior. When processing specially crafted XML input, the function may attempt to access a null pointer, causing a segmentation fault and program crash. This occurs because the code does not properly check if certain XML node pointers or their content are null before using them, resulting in unsafe memory access during parsing. [1, 2]

Impact Analysis

This vulnerability can be exploited by attackers to cause denial of service (DoS) by crashing applications that use the vulnerable iccDEV library. Additionally, attackers may manipulate ICC profile data to bypass application logic or potentially achieve arbitrary code execution in downstream image-processing libraries that rely on this parsing. The impact includes application crashes, data manipulation, and security bypasses, which can compromise the integrity and availability of affected systems. [2]

Detection Guidance

This vulnerability can be detected by testing the iccDEV library's XML parsing functionality with specially crafted ICC profile XML files that trigger the null pointer dereference in the CIccProfileXml::ParseBasic() function. For example, using the `iccFromXml` tool with a malformed XML file similar to `npd-ub-runtime-error-null-pointer-IccProfileXml_cpp-L493.xml` can reproduce the crash. Monitoring for segmentation faults or runtime errors (such as those reported by AddressSanitizer) during XML parsing can indicate the presence of the vulnerability. Specific commands would involve running `iccFromXml` with suspicious or fuzzed ICC profile XML inputs and observing for crashes or errors. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade the iccDEV library to version 2.3.1.2 or later, where the vulnerability has been fixed by adding proper null pointer checks in the CIccProfileXml::ParseBasic() function. Until the upgrade can be applied, avoid processing untrusted or malformed ICC profile XML data with vulnerable versions of iccDEV. There are no workarounds provided, so patching is the recommended action. [2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24410. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart