CVE-2026-24412
BaseFortify
Publication date: 2026-01-24
Last updated on: 2026-01-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| color | iccdev | to 2.3.1.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-24412 is a heap buffer overflow vulnerability in the iccDEV library, specifically in the function icCurvesFromXml() which parses ICC profile XML curve data. The vulnerability occurs because the function improperly handles memory allocation and bounds checking when converting XML nodes into internal curve objects, leading to writing beyond the allocated heap buffer. This happens when user-controllable input is unsafely incorporated into ICC profile data, causing memory corruption during parsing of maliciously crafted ICC XML data. [1, 3]
How can this vulnerability impact me? :
Exploitation of this vulnerability can allow an attacker to cause denial of service (DoS) by crashing the application processing the ICC profiles, manipulate data or bypass application logic that relies on profile metadata, and potentially achieve arbitrary code execution. This means attackers could disrupt services, alter data integrity, or execute malicious code on systems using vulnerable versions of iccDEV. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by analyzing the processing of ICC profile XML data, particularly by testing the parsing of ICC profiles with crafted XML files that trigger the heap buffer overflow in the icCurvesFromXml() function. Using the iccFromXml command-line tool from the iccDEV project to parse suspicious or crafted ICC XML files can reveal the vulnerability, especially if AddressSanitizer (ASan) or similar memory error detection tools report invalid heap writes or buffer overflows. For example, running a command like `iccFromXml crafted-malicious-profile.xml` on a Linux system with ASan enabled can detect the overflow. Monitoring for error messages such as "Error!- Failed to parse MCurves." during ICC profile parsing may also indicate attempts to exploit this vulnerability. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the iccDEV library to version 2.3.1.2 or later, where the vulnerability has been fixed. This update corrects the parsing logic in the icCurvesFromXml() and icMBBFromXml() functions to prevent heap buffer overflows. Since no workarounds are provided, applying the official patch or updated version is essential to prevent exploitation. Additionally, avoid processing untrusted or malformed ICC profiles until the update is applied. [2, 3]