CVE-2026-33854

High

Published: 24 March 2026

Published

24 March 2026

Modified

26 March 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0005 16.8th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33854 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Molotovcherry Android-Imagemagick7. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 16.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates timely remediation of software flaws like this out-of-bounds write in Android-ImageMagick7 by patching to version 7.1.2-10 or later.

SI-16 Memory Protection good match

prevent

Implements memory protection mechanisms such as ASLR and DEP that defend against exploitation of out-of-bounds write vulnerabilities in image processing libraries.

SI-10 Information Input Validation partial match

prevent

Requires validation of untrusted image inputs before processing by the vulnerable ImageMagick library to block specially crafted files that trigger the out-of-bounds write.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

Why these techniques?

Out-of-bounds write in image library enables client-side RCE when a crafted image is processed; directly maps to exploitation for client execution and user execution of malicious file.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Out-of-bounds Write vulnerability in MolotovCherry Android-ImageMagick7.This issue affects Android-ImageMagick7: before 7.1.2-10.

Deeper analysisAI

CVE-2026-33854 is an out-of-bounds write vulnerability (CWE-787) in the MolotovCherry Android-ImageMagick7 library. It affects versions of Android-ImageMagick7 prior to 7.1.2-10. The vulnerability was published on 2026-03-24 and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

The vulnerability can be exploited over the network by an unauthenticated attacker with low complexity, though it requires user interaction, such as processing a specially crafted image file. Successful exploitation enables high-impact consequences, including unauthorized disclosure of information, modification of data, and denial of service, potentially leading to full system compromise on affected Android devices using the vulnerable ImageMagick implementation.

A pull request addressing the issue is available at https://github.com/MolotovCherry/Android-ImageMagick7/pull/184, which security practitioners should review for patching details and apply the fix by upgrading to Android-ImageMagick7 version 7.1.2-10 or later.