Cyber Resilience

CVE-2026-33852

High

Published: 24 March 2026

Published
24 March 2026
Modified
26 March 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0006 17.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33852 is a high-severity Missing Release of Memory after Effective Lifetime (CWE-401) vulnerability in Molotovcherry Android-Imagemagick7. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked at the 17.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2026-33852 is a Missing Release of Memory after Effective Lifetime vulnerability, classified under CWE-401, in the MolotovCherry Android-ImageMagick7 component. This issue affects Android-ImageMagick7 versions before 7.1.2-11. The vulnerability was published on 2026-03-24 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating a high-severity memory leak that primarily impacts availability.

An unauthenticated attacker can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. By triggering the affected code paths repeatedly, the attacker can cause memory leaks, leading to resource exhaustion and denial-of-service conditions on the targeted system.

The primary reference for mitigation is a GitHub pull request at https://github.com/MolotovCherry/Android-ImageMagick7/pull/191, which addresses the issue. Security practitioners should update to Android-ImageMagick7 version 7.1.2-11 or later to remediate the vulnerability.

EU & UK References

Vulnerability details

Missing Release of Memory after Effective Lifetime vulnerability in MolotovCherry Android-ImageMagick7.This issue affects Android-ImageMagick7: before 7.1.2-11.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.003 Application Exhaustion Flood Impact
Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.
Why these techniques?

Memory leak (CWE-401) in image processing library directly enables repeated triggering of resource exhaustion to perform application exhaustion flood DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-33856Same product: Molotovcherry Android-Imagemagick7
CVE-2026-33854Same product: Molotovcherry Android-Imagemagick7
CVE-2026-33853Same product: Molotovcherry Android-Imagemagick7
CVE-2026-33855Same product: Molotovcherry Android-Imagemagick7
CVE-2026-4756Same product: Molotovcherry Android-Imagemagick7
CVE-2026-4755Same product: Molotovcherry Android-Imagemagick7
CVE-2026-32874Shared CWE-401
CVE-2026-23414Shared CWE-401
CVE-2026-25988Shared CWE-401
CVE-2025-0241Shared CWE-401

Affected Assets

molotovcherry
android-imagemagick7
≤ 7.1.2-11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the memory leak vulnerability by requiring identification, reporting, and correction of flaws in Android-ImageMagick7 through patching to version 7.1.2-11 or later.

prevent

Protects against denial-of-service attacks caused by repeated exploitation triggering memory leaks and resource exhaustion.

prevent

Ensures availability of critical resources like memory by implementing mechanisms to protect against exhaustion from the vulnerability.

References