Description
Out-of-bounds Write vulnerability in MolotovCherry Android-ImageMagick7.This issue affects Android-ImageMagick7: before 7.1.2-11.
Published: 2026-03-24
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Out-of-bounds write causing memory corruption and potential arbitrary code execution
Action: Apply patch
AI Analysis

Impact

This flaw occurs during image decoding in the MolotovCherry Android-ImageMagick7 library. A specially crafted image triggers an out-of-bounds write, overwriting nearby memory. The damage range includes corrupted internal data structures, unexpected termination, or, if an attacker can control the overwritten data, execution of malicious code. The description lists it as a memory corruption with the risk of arbitrary code execution, but no explicit exploit is provided.

Affected Systems

The affected product is the MolotovCherry Android-ImageMagick7 library in all releases prior to 7.1.2-11. Any Android application or service that incorporates this library and processes externally supplied images may be vulnerable. No other components of the Android platform are affected.

Risk and Exploitability

The CVSS base score of 7.8 indicates a high severity vulnerability. The EPSS score is below 1%, suggesting that publicly available exploits are unlikely at present. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is the delivery of a maliciously crafted image processed by the library, as inferred from the nature of the flaw in an image-processing routine.

Generated by OpenCVE AI on March 26, 2026 at 22:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the MolotovCherry Android-ImageMagick7 library to version 7.1.2-11 or later to eliminate the out-of-bounds write.
  • If an update is not immediately possible, review the library’s image handling routines to block or sanitize incoming image data, though no formal workaround is published.

Generated by OpenCVE AI on March 26, 2026 at 22:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:molotovcherry:android-imagemagick7:*:*:*:*:*:*:*:*

Tue, 24 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Molotovcherry
Molotovcherry android-imagemagick7
Vendors & Products Molotovcherry
Molotovcherry android-imagemagick7

Tue, 24 Mar 2026 06:45:00 +0000

Type Values Removed Values Added
Description Out-of-bounds Write vulnerability in MolotovCherry Android-ImageMagick7.This issue affects Android-ImageMagick7: before 7.1.2-11.
Title Out-of-bounds Write in MolotovCherry Android-ImageMagick7
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Molotovcherry Android-imagemagick7
cve-icon MITRE

Status: PUBLISHED

Assigner: GovTech CSG

Published:

Updated: 2026-03-24T13:30:51.179Z

Reserved: 2026-03-24T06:05:11.613Z

Link: CVE-2026-4756

cve-icon Vulnrichment

Updated: 2026-03-24T13:30:46.523Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T07:16:07.650

Modified: 2026-03-26T18:57:25.300

Link: CVE-2026-4756

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:21:12Z

Weaknesses