CVE-2026-3707 - Vulnerability Details

- MrNanko webp4j gif_decoder.c DecodeGifFromMemory integer overflow

Description

A vulnerability was identified in MrNanko webp4j up to 1.3.x. The affected element is the function DecodeGifFromMemory of the file src/main/c/gif_decoder.c. Such manipulation of the argument canvas_height leads to integer overflow. Local access is required to approach this attack. The exploit is publicly available and might be used. The name of the patch is 89771b201c66d15d29e4cc016d8aae82b6a5fbe1. It is advisable to implement a patch to correct this issue.

Published: 2026-03-08

Score: 4.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability lies in the DecodeGifFromMemory function of the webp4j library. Manipulating the canvas_height argument can trigger an integer overflow. The overflow could lead to memory corruption, which is inferred from the nature of integer overflow vulnerabilities and not explicitly detailed in the CVE text.

Affected Systems

MrNanko webp4j versions up to 1.3.x are affected. The flaw exists in the gif_decoder.c source file used when the library decodes GIF images in applications that embed webp4j. Any system that incorporates these versions without the recent patch is potentially vulnerable.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not cataloged in the CISA KEV. Exploitation requires local access; an attacker must supply a crafted GIF file to the vulnerable application. Because a public exploit is available, systems running the affected library should apply the patch urgently to prevent possible memory corruption.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

MrNanko

webp4j

affected

Version	Status	Constraints
`1.0`	affected	—
`1.1`	affected	—
`1.2`	affected	—
`1.3`	affected	—

No data.

Vendor Product Confidence Versions

Mrnanko

Webp4j

100%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—
`1.1`	affected	generic	—
`1.2`	affected	generic	—
`1.3`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the upstream patch corresponding to commit 89771b201c66d15d29e4cc016d8aae82b6a5fbe1 or upgrade to a later webp4j release that includes the integer overflow fix.
If the application accepts GIFs from untrusted sources, execute the webp4j decoding process in a sandbox or under a least‑privileged user to contain any potential memory corruption.
As a temporary measure, configure the application to reject GIF images whose canvas_height values exceed reasonable bounds or disable GIF decoding entirely until the patch is applied.

Generated by OpenCVE AI on April 18, 2026 at 17:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Local

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/MrNanko/webp4j/
https://github.com/MrNanko/webp4j/commit/89771b201c66d15d29e4cc016d8aae82b6a5fbe1
https://github.com/MrNanko/webp4j/issues/6
https://github.com/MrNanko/webp4j/issues/6#issuecomment-3941945014
https://github.com/Sp1d3rL1/Webp4j-Heap-Buffer-Overflow/blob/main/README.EN.md
https://vuldb.com/?ctiid.349653
https://vuldb.com/?id.349653
https://vuldb.com/?submit.765972

History

Tue, 10 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 09 Mar 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mrnanko Mrnanko webp4j
Vendors & Products		Mrnanko Mrnanko webp4j

Sun, 08 Mar 2026 05:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was identified in MrNanko webp4j up to 1.3.x. The affected element is the function DecodeGifFromMemory of the file src/main/c/gif_decoder.c. Such manipulation of the argument canvas_height leads to integer overflow. Local access is required to approach this attack. The exploit is publicly available and might be used. The name of the patch is 89771b201c66d15d29e4cc016d8aae82b6a5fbe1. It is advisable to implement a patch to correct this issue.
Title		MrNanko webp4j gif_decoder.c DecodeGifFromMemory integer overflow
Weaknesses		CWE-189 CWE-190
References		https://github.com/MrNanko/webp4j/ https://github.com/MrNanko/webp4j/commit/89771b201c66d15d29e4cc016d8aae82b6a5fbe1 https://github.com/MrNanko/webp4j/issues/6 https://github.com/MrNanko/webp4j/issues/6#issuecomment-3941945014 https://github.com/Sp1d3rL1/Webp4j-Heap-Buffer-Overflow/blob/main/README.EN.md https://vuldb.com/?ctiid.349653 https://vuldb.com/?id.349653 https://vuldb.com/?submit.765972
Metrics		cvssV2_0 `{'score': 4.3, 'vector': 'AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}` cvssV3_0 `{'score': 5.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}` cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}` cvssV4_0 `{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Mrnanko Webp4j

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-03-08T05:02:15.404Z

Updated: 2026-03-10T14:09:23.158Z

Reserved: 2026-03-07T09:09:50.930Z

Link: CVE-2026-3707

Vulnrichment

Updated: 2026-03-10T14:09:19.378Z

NVD

Status : Awaiting Analysis

Published: 2026-03-08T05:16:32.193

Modified: 2026-03-09T13:35:07.393

Link: CVE-2026-3707

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T17:30:05Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Local

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object