Description
Missing Release of Memory after Effective Lifetime vulnerability in MolotovCherry Android-ImageMagick7.This issue affects Android-ImageMagick7: before 7.1.2-11.
Published: 2026-03-24
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Memory Leak Potentially Leading to Information Disclosure
Action: Patch Now
AI Analysis

Impact

The vulnerability involves a failure to release memory after it has reached its effective lifetime within MolotovCherry Android-ImageMagick7, causing a memory leak. This weakness, identified as CWE-401, may allow an attacker to exhaust memory resources or access residual data left in memory, potentially compromising data confidentiality or application stability.

Affected Systems

The affected product is MolotovCherry Android-ImageMagick7. Versions prior to 7.1.2-11 are impacted. No other vendors or product variants are listed.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity impact, while the EPSS score of less than 1% suggests a low probability of widespread exploitation. Because the vulnerability is not included in the CISA KEV catalog, it is likely not currently in active use by known threat actors. Exploitation would most likely require an attacker to supply a specially crafted image to an application that employs the affected version of Android-ImageMagick7, potentially allowing the attacker to trigger the memory leak or read residual memory contents. The available information does not indicate a remote code execution vector, but the high CVSS score reflects the significant impact of resource exhaustion or data exposure.

Generated by OpenCVE AI on March 26, 2026 at 21:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Android-ImageMagick7 to version 7.1.2-11 or later
  • If upgrading is not immediately possible, restrict image processing to trusted sources and employ sandboxing to limit memory exposure
  • Monitor application memory usage for abnormal growth indicative of a memory leak

Generated by OpenCVE AI on March 26, 2026 at 21:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:molotovcherry:android-imagemagick7:*:*:*:*:*:*:*:*

Tue, 24 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Molotovcherry
Molotovcherry android-imagemagick7
Vendors & Products Molotovcherry
Molotovcherry android-imagemagick7

Tue, 24 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Missing Release of Memory after Effective Lifetime vulnerability in MolotovCherry Android-ImageMagick7.This issue affects Android-ImageMagick7: before 7.1.2-11.
Title Missing Release of Memory after Effective Lifetime in MolotovCherry Android-ImageMagick7
Weaknesses CWE-401
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Molotovcherry Android-imagemagick7
cve-icon MITRE

Status: PUBLISHED

Assigner: GovTech CSG

Published:

Updated: 2026-03-24T17:50:09.076Z

Reserved: 2026-03-24T05:55:55.342Z

Link: CVE-2026-33856

cve-icon Vulnrichment

Updated: 2026-03-24T17:50:02.996Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T06:16:22.970

Modified: 2026-03-26T19:06:39.660

Link: CVE-2026-33856

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:21:16Z

Weaknesses