CVE-2026-24403 HIGH

CVE-2026-24403: iccDEV Undefined Behavior in CIccProfile::CheckHeader() Leads to Integer Overflow

Vendor Internationalcolorconsortium

Product iccDEV

Weakness CWE-20 · Input validation

Published January 24, 2026

Last update January 26, 2026

View on NVD All CVEs

CVSS base score

7.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality None

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H

What the vulnerability does

01Description

iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. In versions 2.3.1.1 and below, an integer overflow vulnerability exists in icValidateStatus CIccProfile::CheckHeader() when user-controllable input is incorporated into profile data unsafely. Tampering with tag tables, offsets, or size fields can trigger parsing errors, memory corruption, or DoS, potentially enabling arbitrary Code Execution or bypassing application logic. This issue has been fixed in version 2.3.1.2.

Key dates

02Disclosure timeline

January 24, 2026 CVE published

January 26, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-24403

Related vulnerabilities

CVE-2026-24403: iccDEV Undefined Behavior in CIccProfile::CheckHeader() Leads to Integer Overflow

01Description

02Disclosure timeline

03References

04Related CVE