8.8

CVE-2026-24406

Exploit

iccDEV has Heap Buffer Overflow in CIccTagNamedColor2::SetSize()

iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have a Heap Buffer Overflow vulnerability in CIccTagNamedColor2::SetSize(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ColorIccdev Version < 2.3.1.2
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.52% 0.402
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security-advisories@github.com 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-122 Heap-based Buffer Overflow

A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-h9h3-45cm-j95f
Patch
Vendor Advisory
https://github.com/InternationalColorConsortium/iccDEV/issues/480
Exploit
Issue Tracking
https://github.com/InternationalColorConsortium/iccDEV/commit/90c71cba2c563b1f5dc84197f827540d1baaea67
Patch