What is the CVSS score of CVE-2026-24412?

CVE-2026-24412 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.2%.

Which versions of Iccdev are affected by CVE-2026-24412?

A heap buffer overflow vulnerability in iccDEV color management libraries (versions 2.3.1.1 and below) could allow attackers to execute arbitrary code on systems processing ICC color profiles.. A patch is available.

Is there a public PoC exploit available for CVE-2026-24412?

Yes, a public proof-of-concept exploit is available for CVE-2026-24412. Prioritise patching immediately. EPSS: 0.2%.

How to fix or mitigate CVE-2026-24412?

Within 24 hours: Identify all systems and applications using iccDEV versions 2.3.1.1 and below; assess whether they process untrusted ICC profiles from external sources. Within 7 days: Apply vendor patch to all affected systems; prioritize internet-facing or user-input processing systems. Within 30 days: Complete patch deployment across the entire environment and validate through testing.

Iccdev CVE-2026-24412

HIGH

Improper Input Validation (CWE-20)

2026-01-24 security-advisories@github.com

Buffer Overflow Iccdev

8.8

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.8 HIGH

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:59 vuln.today

PoC Detected

Jan 30, 2026 - 18:25 vuln.today

Public exploit code

Patch released

Jan 30, 2026 - 18:25 nvd

Patch available

CVE Published

Jan 24, 2026 - 02:15 nvd

HIGH 8.8

DescriptionGitHub Advisory

iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have aHeap Buffer Overflow vulnerability in the CIccTagXmlSegmentedCurve::ToXml() function. This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2.

AnalysisAI

Heap buffer overflow in iccDEV versions 2.3.1.1 and below allows remote code execution through maliciously crafted ICC color profile data submitted to the CIccTagXmlSegmentedCurve::ToXml() function. Public exploit code exists for this vulnerability, enabling attackers to achieve denial of service, data manipulation, and arbitrary code execution with no authentication required. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Craft malicious ICC profile with oversized segmented curve data

Delivery

Upload or load profile into vulnerable iccDEV application

Exploit

Trigger CIccTagXmlSegmentedCurve::ToXml() parsing

Execution

Heap buffer overflow during XML conversion

Impact

Execute arbitrary code with application privileges

Access

Craft malicious ICC profile with oversized segmented curve data

Delivery

Upload or load profile into vulnerable iccDEV application

Exploit

Trigger CIccTagXmlSegmentedCurve::ToXml() parsing

Execution

Heap buffer overflow during XML conversion

Impact

Execute arbitrary code with application privileges

Vulnerability AssessmentAI

Exploitation	User must open or import a crafted ICC color profile file (versions 2.3.1.1 and below). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 8.8 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker could exploit this vulnerability to perform DoS, manipulate data, bypass application logic and Code Execution.
Remediation	A vendor patch is available — apply it immediately. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems and applications using iccDEV versions 2.3.1.1 and below; assess whether they process untrusted ICC profiles from external sources. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-24412 vulnerability details – vuln.today

Back

Iccdev CVE-2026-24412

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code