Description
Integer Overflow or Wraparound vulnerability in MuntashirAkon AppManager (app/src/main/java/org/apache/commons/compress/archivers/tar modules). This vulnerability is associated with program files TarUtils.Java.

This issue affects AppManager: before 4.0.4.
Published: 2026-01-27
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Potential memory corruption or denial of service
Action: Patch Upgrade
AI Analysis

Impact

An integer overflow or wraparound vulnerability exists in the TarUtils module of MuntashirAkon AppManager, specifically in org.apache.commons.compress.archivers.tar. The flaw arises when processing TAR archive files and can cause incorrect calculation of buffer sizes. This leads to potential memory corruption, application crashes, or denial of service. The weakness is classified as CWE-190, representing integer overflows.

Affected Systems

The vulnerability affects AppManager versions before 4.0.4. It involves the TarUtils.java file within the application's tar handling modules. Users running older releases of the application are at risk if they process untrusted TAR archives.

Risk and Exploitability

The CVSS score of 4.6 indicates a low to moderate severity, while the EPSS score of less than 1% signals a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, further reducing immediate threat. Exploitation would likely require an attacker to supply a malicious TAR file to the application, which suggests a local or user‑supplied vector. Given the current metrics, the immediate risk is low, but securing the application through updates or mitigations is prudent.

Generated by OpenCVE AI on April 18, 2026 at 18:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AppManager to version 4.0.4 or newer to eliminate the integer overflow flaw.
  • Apply the patch referenced in pull request 1598 if using a source build of the application.
  • Restrict processing of TAR archives to trusted inputs and implement checks to ensure that size calculations fall within integer bounds to mitigate the overflow risk.

Generated by OpenCVE AI on April 18, 2026 at 18:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 27 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Muntashirakon
Muntashirakon appmanager
Vendors & Products Muntashirakon
Muntashirakon appmanager

Tue, 27 Jan 2026 08:30:00 +0000

Type Values Removed Values Added
Description Integer Overflow or Wraparound vulnerability in MuntashirAkon AppManager (app/src/main/java/org/apache/commons/compress/archivers/tar modules). This vulnerability is associated with program files TarUtils.Java. This issue affects AppManager: before 4.0.4.
Title A possible integer overflow vulnerability in RawTherapee/RawTherapee
Weaknesses CWE-190
References
Metrics cvssV4_0

{'score': 4.6, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/S:N/AU:Y/R:U/V:C/RE:L/U:Amber'}

Subscriptions

Muntashirakon Appmanager
cve-icon MITRE

Status: PUBLISHED

Assigner: GovTech CSG

Published:

Updated: 2026-01-27T21:39:51.512Z

Reserved: 2026-01-27T07:58:56.403Z

Link: CVE-2026-1464

cve-icon Vulnrichment

Updated: 2026-01-27T21:10:29.692Z

cve-icon NVD

Status : Deferred

Published: 2026-01-27T09:15:48.080

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1464

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:00:08Z

Weaknesses