Home > Vulnerability Database > CVE-2026-24852

Mend.io Vulnerability Database

CVE-2026-24852

Good to know:

Date: January 27, 2026

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, a heap buffer over-read when the strlen() function attempts to read a non-null-terminated buffer potentially leaking heap memory contents and causing application termination. This vulnerability affects users of the iccDEV library who process ICC color profiles. ICC Profile Injection vulnerabilities arise when user-controllable input is incorporated into ICC profile data or other structured binary blobs in an unsafe manner. Version 2.3.1.2 contains a fix for the issue. No known workarounds are available.

Severity Score

6.1

Related Resources (5)

Url: https://github.com/InternationalColorConsortium/iccDEV/commit/3092499cd4d0775f4a716b999899f9c26f9bc614

Url: https://github.com/InternationalColorConsortium/iccDEV/pull/540

Url: https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-q8g2-mp32-3j7f

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-24852

Url: https://www.mend.io/vulnerability-database/CVE-2026-24852

Severity Score

6.1

Weakness Type (CWE)

Out-of-bounds Read

CWE-125

Heap-based Buffer Overflow

CWE-122

Improper Null Termination

CWE-170

CVSS v3.1

Base Score:	6.1
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2026-24852

Good to know:

Date: January 27, 2026

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?