{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33856", "assignerOrgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "state": "PUBLISHED", "assignerShortName": "GovTech CSG", "dateReserved": "2026-03-24T05:55:55.342Z", "datePublished": "2026-03-24T05:59:58.600Z", "dateUpdated": "2026-03-24T17:50:09.076Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "shortName": "GovTech CSG", "dateUpdated": "2026-03-24T05:59:58.600Z"}, "title": "Missing Release of Memory after Effective Lifetime in MolotovCherry Android-ImageMagick7", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-401", "description": "CWE-401 Missing Release of Memory after Effective Lifetime", "type": "CWE"}]}], "affected": [{"vendor": "MolotovCherry", "product": "Android-ImageMagick7", "collectionURL": "https://github.com/MolotovCherry/Android-ImageMagick7", "versions": [{"status": "affected", "version": "0", "lessThan": "7.1.2-11", "versionType": "git"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "Missing Release of Memory after Effective Lifetime vulnerability in MolotovCherry Android-ImageMagick7.This issue affects Android-ImageMagick7: before 7.1.2-11.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Missing Release of Memory after Effective Lifetime vulnerability in MolotovCherry Android-ImageMagick7.<p>This issue affects Android-ImageMagick7: before 7.1.2-11.</p>"}]}], "references": [{"url": "https://github.com/MolotovCherry/Android-ImageMagick7/pull/191", "tags": ["patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}}], "credits": [{"lang": "en", "value": "TITAN Team (titancaproject@gmail.com)", "type": "reporter"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T17:49:57.590011Z", "id": "CVE-2026-33856", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T17:50:09.076Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33856", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T17:49:57.590011Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T17:50:02.996Z"}}], "cna": {"title": "Missing Release of Memory after Effective Lifetime in MolotovCherry Android-ImageMagick7", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "TITAN Team (titancaproject@gmail.com)"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "MolotovCherry", "product": "Android-ImageMagick7", "versions": [{"status": "affected", "version": "0", "lessThan": "7.1.2-11", "versionType": "git"}], "collectionURL": "https://github.com/MolotovCherry/Android-ImageMagick7", "defaultStatus": "affected"}], "references": [{"url": "https://github.com/MolotovCherry/Android-ImageMagick7/pull/191", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Missing Release of Memory after Effective Lifetime vulnerability in MolotovCherry Android-ImageMagick7.This issue affects Android-ImageMagick7: before 7.1.2-11.", "supportingMedia": [{"type": "text/html", "value": "Missing Release of Memory after Effective Lifetime vulnerability in MolotovCherry Android-ImageMagick7.<p>This issue affects Android-ImageMagick7: before 7.1.2-11.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-401", "description": "CWE-401 Missing Release of Memory after Effective Lifetime"}]}], "providerMetadata": {"orgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "shortName": "GovTech CSG", "dateUpdated": "2026-03-24T05:59:58.600Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33856", "state": "PUBLISHED", "dateUpdated": "2026-03-24T17:50:09.076Z", "dateReserved": "2026-03-24T05:55:55.342Z", "assignerOrgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "datePublished": "2026-03-24T05:59:58.600Z", "assignerShortName": "GovTech CSG"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:molotovcherry:android-imagemagick7:*:*:*:*:*:*:*:*", "matchCriteriaId": "CD4FC35B-5E60-42CC-87A5-71FF393A6EAB", "versionEndExcluding": "7.1.2-11", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Release of Memory after Effective Lifetime vulnerability in MolotovCherry Android-ImageMagick7.This issue affects Android-ImageMagick7: before 7.1.2-11."}, {"lang": "es", "value": "Vulnerabilidad por falta de liberaci\u00f3n de memoria despu\u00e9s de la vida \u00fatil efectiva en MolotovCherry Android-ImageMagick7. Este problema afecta a Android-ImageMagick7: antes de 7.1.2-11."}], "id": "CVE-2026-33856", "lastModified": "2026-03-26T19:06:39.660", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "cve_disclosure@tech.gov.sg", "type": "Secondary"}]}, "published": "2026-03-24T06:16:22.970", "references": [{"source": "cve_disclosure@tech.gov.sg", "tags": ["Issue Tracking"], "url": "https://github.com/MolotovCherry/Android-ImageMagick7/pull/191"}], "sourceIdentifier": "cve_disclosure@tech.gov.sg", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "cve_disclosure@tech.gov.sg", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,7.1.2-11)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Android-ImageMagick7", "source": "cna", "vendor": "MolotovCherry"}, "product": "android-imagemagick7", "vendor": "molotovcherry"}], "analysis": {"en": {"generated_at": "2026-03-24T07:21:20.609920+00:00", "value": {"mitigation_remediation": ["Upgrade Android-ImageMagick7 to version 7.1.2\u201111 or later.", "Recompile any third\u2011party applications that bundle the library with the patched version.", "If upgrading is not immediately possible, disable or remove image handling features that use the vulnerable library until a fix is available.", "Monitor application memory consumption and terminate processes that repeatedly invoke image processing functions to prevent crashes."], "summary": {"action": "Immediate Patch", "impact": "Memory Leak / Denial of Service"}, "threat_synthesis": {"affected_systems": "Vulnerable releases are all Android\u2011ImageMagick7 versions prior to 7.1.2\u201111 released by MolotovCherry. The bug is present in the code base up to that patch, so any device running one of those builds that uses the library is affected. The fix is delivered in 7.1.2\u201111, where the memory cleanup logic has been corrected.", "description_and_impact": "Missing Release of Memory after Effective Lifetime is a memory leak bug found in MolotovCherry Android-ImageMagick7. The flaw prevents the library from freeing memory that was allocated during image processing, causing the memory footprint to grow unbounded. This can allow an attacker to trigger a denial\u2011of\u2011service condition by repeatedly invoking the vulnerable functions, which can exhaust device resources and cause applications that depend on the library to crash.", "risk_and_exploitability": "With a CVSS score of 7.5 the vulnerability is considered high severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. An attacker could exploit the flaw by supplying crafted image data to an application that relies on the library, which would then consume increasing amounts of RAM over time. The attack typically requires local code execution within the context of the victim app, meaning that users running affected applications are at potential risk of memory exhaustion and application instability."}}}}, "created": "2026-03-24T10:28:48.551250+00:00", "updated": "2026-03-25T20:39:53.096810+00:00", "vendors": ["molotovcherry", "molotovcherry$PRODUCT$android-imagemagick7"]}