Skip to main content

Android EUVDEUVD-2026-14774

| CVE-2026-33852 HIGH
Memory Leak (CWE-401)
2026-03-24 GovTech CSG GHSA-72f8-jfg6-jwc2
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
EUVD ID Assigned
Mar 24, 2026 - 06:45 euvd
EUVD-2026-14774
Analysis Generated
Mar 24, 2026 - 06:45 vuln.today
Patch released
Mar 24, 2026 - 06:45 nvd
Patch available
CVE Published
Mar 24, 2026 - 06:01 nvd
HIGH 7.5

DescriptionCVE.org

Missing Release of Memory after Effective Lifetime vulnerability in MolotovCherry Android-ImageMagick7.This issue affects Android-ImageMagick7: before 7.1.2-11.

AnalysisAI

This vulnerability is a memory leak (CWE-401) in Android-ImageMagick7, a port of ImageMagick for Android, that allows remote attackers to cause denial of service by exhausting memory resources. The issue affects all versions of MolotovCherry Android-ImageMagick7 prior to version 7.1.2-11. With a CVSS score of 7.5 and a network-based attack vector requiring no privileges or user interaction (AV:N/AC:L/PR:N/UI:N), attackers can remotely trigger high-impact availability disruption, though there is no current evidence of active exploitation or public proof-of-concept.

Technical ContextAI

Android-ImageMagick7 is a native Android port of the ImageMagick image processing library, providing comprehensive image manipulation capabilities for Android applications. The affected component (cpe:2.3:a:molotovcherry:android-imagemagick7) suffers from CWE-401 (Missing Release of Memory after Effective Lifetime), commonly known as a memory leak. This occurs when the application allocates memory during image processing operations but fails to properly release it after the memory is no longer needed. Over time or through repeated requests, this leads to progressive memory exhaustion, degrading performance and eventually causing application crashes or system instability. The vulnerability likely exists in the native C/C++ code layer where ImageMagick's core processing occurs, as memory management in native code requires explicit deallocation that was evidently omitted or incorrectly implemented in affected code paths.

RemediationAI

Upgrade Android-ImageMagick7 to version 7.1.2-11 or later to resolve the memory leak vulnerability. The patch is available via the vendor's GitHub repository at https://github.com/MolotovCherry/Android-ImageMagick7/pull/191 and should be integrated into affected Android applications through dependency updates. Organizations should review their Android application dependencies and update the Android-ImageMagick7 library to the patched version, then rebuild and redeploy affected applications. As an interim mitigation until patching is complete, consider implementing rate limiting on image processing endpoints, enforcing strict file size limits for uploaded images, monitoring memory usage with automated alerting for abnormal consumption patterns, and implementing automatic service restarts when memory thresholds are reached to minimize service disruption. Additionally, restrict image processing functionality to authenticated users only if feasible, reducing the attack surface from anonymous network-based attackers.

CVE-2015-3105 CRITICAL POC
10.0 Jun 10

Adobe Flash Player before 13.0.0.292 and 14.x through 18.x before 18.0.0.160 on Windows and OS X and before 11.2.202.466

CVE-2015-3864 CRITICAL POC
10.0 Oct 01

Integer underflow in the MPEG4Extractor::parseChunk function in MPEG4Extractor.cpp in libstagefright in mediaserver in A

CVE-2013-4710 CRITICAL POC
9.3 Mar 03

Android 3.0 through 4.1.x on Disney Mobile, eAccess, KDDI, NTT DOCOMO, SoftBank, and other devices does not properly imp

CVE-2015-1538 CRITICAL POC
10.0 Oct 01

Integer overflow in the SampleTable::setSampleToChunkParams function in SampleTable.cpp in libstagefright in Android bef

CVE-2024-21633 HIGH POC
7.8 Jan 03

Apktool versions 2.9.1 and prior contain a path traversal vulnerability when processing Android APK files. Malicious APK

CVE-2017-13156 HIGH POC
7.8 Dec 06

An elevation of privilege vulnerability in the Android system (art). Rated high severity (CVSS 7.8), this vulnerability

CVE-2016-2107 MEDIUM POC
5.9 May 05

The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a

CVE-2015-3106 CRITICAL POC
10.0 Jun 10

Use-after-free vulnerability in Adobe Flash Player before 13.0.0.292 and 14.x through 18.x before 18.0.0.160 on Windows

CVE-2015-3107 CRITICAL POC
10.0 Jun 10

Use-after-free vulnerability in Adobe Flash Player before 13.0.0.292 and 14.x through 18.x before 18.0.0.160 on Windows

CVE-2013-4787 CRITICAL POC
9.3 Jul 09

Android 1.6 Donut through 4.2 Jelly Bean does not properly check cryptographic signatures for applications, which allows

CVE-2014-7911 HIGH
7.2 Dec 15

luni/src/main/java/java/io/ObjectInputStream.java in the java.io.ObjectInputStream implementation in Android before 5.0.

CVE-2016-0801 CRITICAL POC
9.8 Feb 07

The Broadcom Wi-Fi driver in the kernel in Android 4.x before 4.4.4, 5.x before 5.1.1 LMY49G, and 6.x before 2016-02-01

Share

EUVD-2026-14774 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy