CVE-2026-34883

Vulnerability

Portrait Dell Color Management application versions 3.6.0 and prior on Windows contain an improper handling of symbolic links during installation [1][2]. The installer writes the file CCFLFamily_07Feb11.edr to C:\ProgramData\Portrait Displays\CW\data\i1D3\ while running with elevated privileges, but does not validate symbolic links or reparse points at the destination path. This allows an attacker to create a malicious link before the install, redirecting the write operation to an arbitrary system location.

Exploitation

A local low-privileged attacker with write access to the target directory can create a symbolic link pointing to a system location (e.g., a critical executable or configuration file). When the Dell Color Management installer runs with elevated privileges and attempts to write the file, it follows the link and overwrites or creates a file at the attacker-chosen destination [1][2]. No additional user interaction or authentication is required beyond having local access and the ability to create the symbolic link.

Impact

Successful exploitation enables arbitrary file creation or overwrite with SYSTEM privileges. This can be leveraged to escalate privileges to Administrator, for example by overwriting a system binary or a scheduled task definition [1][2]. The attacker gains full control over the file system at the location of the redirected write, potentially leading to complete system compromise.

Mitigation

The vulnerability is fixed in Dell Color Management version 3.7.0.0 and higher [2]. Users should not uninstall the previous version before installing the update; the installer will overwrite the vulnerable files and remove the exploit mechanism [2]. No workaround is available for unpatched versions.