CVE-2026-24856— iccDEV 代码问题漏洞

iccDEV has UB runtime error in <icTagTypeSignature>

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Versions prior to 2.3.1.2 have an undefined behavior issue when floating-point NaN values are converted to unsigned short integer types during ICC profile XML parsing potentially corrupting memory structures and enabling arbitrary code execution. This vulnerability affects users of the iccDEV library who process ICC color profiles. ICC Profile Injection vulnerabilities arise when user-controllable input is incorporated into ICC profile data or other structured binary blobs in an unsafe manner. Version 2.3.1.2 contains a fix for the issue. No known workarounds are available.

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

输入验证不恰当

iccDEV 代码问题漏洞

iccDEV是International Color Consortium开源的一个颜色配置代码库。 iccDEV 2.3.1.2之前版本存在代码问题漏洞，该漏洞源于解析ICC配置文件XML时将浮点NaN值转换为无符号短整数类型时存在未定义行为，可能导致内存结构损坏和执行任意代码。

N/A

N/A