CVE-2026-24852
BaseFortify
Publication date: 2026-01-28
Last updated on: 2026-02-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| color | iccdev | to 2.3.1.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
| CWE-170 | The product does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator. |
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a heap buffer over-read in the iccDEV library prior to version 2.3.1.2. It occurs when the strlen() function attempts to read a buffer that is not null-terminated, potentially causing the application to read beyond the intended memory area. This can lead to leaking of heap memory contents and may cause the application to terminate unexpectedly.
How can this vulnerability impact me? :
The vulnerability can cause leakage of heap memory contents, which may expose sensitive information. Additionally, it can cause the affected application to terminate unexpectedly, leading to denial of service or disruption of normal operations for users processing ICC color profiles with the iccDEV library.
What immediate steps should I take to mitigate this vulnerability?
Upgrade the iccDEV library to version 2.3.1.2 or later, as this version contains the fix for the heap buffer over-read vulnerability. No known workarounds are available, so applying the update is the recommended mitigation step.