What is the CVSS score of CVE-2026-24406?

CVE-2026-24406 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.2%.

Which versions of Iccdev are affected by CVE-2026-24406?

A heap buffer overflow vulnerability in iccDEV color management libraries (CVE-2026-24406) affects systems processing ICC color profiles and could enable remote code execution.. A patch is available.

Is there a public PoC exploit available for CVE-2026-24406?

Yes, a public proof-of-concept exploit is available for CVE-2026-24406. Prioritise patching immediately. EPSS: 0.2%.

How to fix or mitigate CVE-2026-24406?

Within 24 hours: Identify all systems and applications using iccDEV versions 2.3.1.1 and below; assess exposure scope and classify business criticality. Within 7 days: Apply available vendor patch to all affected systems; prioritize production environments and internet-facing applications. Within 30 days: Complete patching of all remaining systems; conduct post-patch validation testing.

Iccdev CVE-2026-24406

HIGH

Improper Input Validation (CWE-20)

2026-01-24 security-advisories@github.com

Buffer Overflow Iccdev

8.8

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.8 HIGH

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:59 vuln.today

PoC Detected

Jan 30, 2026 - 18:24 vuln.today

Public exploit code

Patch released

Jan 30, 2026 - 18:24 nvd

Patch available

CVE Published

Jan 24, 2026 - 01:15 nvd

HIGH 8.8

DescriptionGitHub Advisory

iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have a Heap Buffer Overflow vulnerability in CIccTagNamedColor2::SetSize(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2.

AnalysisAI

Heap buffer overflow in iccDEV versions 2.3.1.1 and below allows remote code execution when processing maliciously crafted ICC color profiles, with public exploit code currently available. An unauthenticated attacker can trigger the vulnerability through user-supplied input to the CIccTagNamedColor2::SetSize() function, enabling arbitrary code execution, denial of service, or data manipulation. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Craft malicious ICC profile file

Delivery

Deliver via network or social engineering

Exploit

Application loads profile into iccDEV library

Execution

SetSize() processes unsanitized input

Persist

Heap buffer overflow triggers

Impact

Execute arbitrary code

Access

Craft malicious ICC profile file

Delivery

Deliver via network or social engineering

Exploit

Application loads profile into iccDEV library

Execution

SetSize() processes unsanitized input

Persist

Heap buffer overflow triggers

Impact

Execute arbitrary code

Vulnerability AssessmentAI

Exploitation	iccDEV library versions 2.3.1.1 and below processing untrusted ICC profile files containing crafted NamedColor2 tag data with oversized size parameters. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 8.8 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker could exploit this vulnerability to perform DoS, manipulate data, bypass application logic and Code Execution.
Remediation	A vendor patch is available — apply it immediately. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems and applications using iccDEV versions 2.3.1.1 and below; assess exposure scope and classify business criticality. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-24406 vulnerability details – vuln.today

Back

Iccdev CVE-2026-24406

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code