CVE-2026-33852

High

Published: 24 March 2026

Published

24 March 2026

Modified

26 March 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0005 16.6th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33852 is a high-severity Missing Release of Memory after Effective Lifetime (CWE-401) vulnerability in Molotovcherry Android-Imagemagick7. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked at the 16.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application Exhaustion Flood (T1499.003). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the memory leak vulnerability by requiring identification, reporting, and correction of flaws in Android-ImageMagick7 through patching to version 7.1.2-11 or later.

SC-5 Denial-of-service Protection good match

prevent

Protects against denial-of-service attacks caused by repeated exploitation triggering memory leaks and resource exhaustion.

SC-6 Resource Availability good match

prevent

Ensures availability of critical resources like memory by implementing mechanisms to protect against exhaustion from the vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1499.003 Application Exhaustion Flood Impact

Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.

attack.mitre.org →

Why these techniques?

Memory leak (CWE-401) in image processing library directly enables repeated triggering of resource exhaustion to perform application exhaustion flood DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Missing Release of Memory after Effective Lifetime vulnerability in MolotovCherry Android-ImageMagick7.This issue affects Android-ImageMagick7: before 7.1.2-11.

Deeper analysisAI

CVE-2026-33852 is a Missing Release of Memory after Effective Lifetime vulnerability, classified under CWE-401, in the MolotovCherry Android-ImageMagick7 component. This issue affects Android-ImageMagick7 versions before 7.1.2-11. The vulnerability was published on 2026-03-24 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating a high-severity memory leak that primarily impacts availability.

An unauthenticated attacker can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. By triggering the affected code paths repeatedly, the attacker can cause memory leaks, leading to resource exhaustion and denial-of-service conditions on the targeted system.

The primary reference for mitigation is a GitHub pull request at https://github.com/MolotovCherry/Android-ImageMagick7/pull/191, which addresses the issue. Security practitioners should update to Android-ImageMagick7 version 7.1.2-11 or later to remediate the vulnerability.