CVE-2026-33856

High

Published: 24 March 2026

Published

24 March 2026

Modified

26 March 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0005 16.6th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33856 is a high-severity Missing Release of Memory after Effective Lifetime (CWE-401) vulnerability in Molotovcherry Android-Imagemagick7. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 16.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely flaw remediation and patching, directly addressing the memory leak in Android-ImageMagick7 by updating to version 7.1.2-11 or later.

SI-16 Memory Protection good match

prevent

SI-16 employs memory protection techniques such as restricting attacker memory consumption and memory timeouts, preventing exhaustion from the CVE's memory leak.

SC-5 Denial-of-service Protection partial match

prevent

SC-5 provides denial-of-service protections against resource exhaustion attacks like the remote memory leak exploitation in this CVE.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Memory leak (CWE-401) in image processing library directly enables remote exploitation for endpoint DoS via application/system resource exhaustion with no C/I impact.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Missing Release of Memory after Effective Lifetime vulnerability in MolotovCherry Android-ImageMagick7.This issue affects Android-ImageMagick7: before 7.1.2-11.

Deeper analysisAI

CVE-2026-33856 is a Missing Release of Memory after Effective Lifetime vulnerability (CWE-401) in the MolotovCherry Android-ImageMagick7 library. This issue affects versions of Android-ImageMagick7 prior to 7.1.2-11 and was published on 2026-03-24. The vulnerability has a CVSS v3.1 base score of 7.5, rated as High severity.

Remote attackers can exploit this vulnerability over the network with low complexity, requiring no privileges, no user interaction, and without changing scope (AV:N/AC:L/PR:N/UI:N/S:U). Successful exploitation results in no impact to confidentiality or integrity but high impact to availability (C:N/I:N/A:H), typically manifesting as denial of service through memory exhaustion due to improper memory release.

The referenced GitHub pull request at https://github.com/MolotovCherry/Android-ImageMagick7/pull/191 provides the fix for this vulnerability. Mitigation involves updating Android-ImageMagick7 to version 7.1.2-11 or later.

Details

CWE(s): CWE-401

Affected Products

molotovcherry

android-imagemagick7

≤ 7.1.2-11

CVEs Like This One

CVE-2026-33852Same product: Molotovcherry Android-Imagemagick7

CVE-2026-33853Same product: Molotovcherry Android-Imagemagick7

CVE-2026-33855Same product: Molotovcherry Android-Imagemagick7

CVE-2026-4756Same product: Molotovcherry Android-Imagemagick7

CVE-2026-4755Same product: Molotovcherry Android-Imagemagick7

CVE-2026-33854Same product: Molotovcherry Android-Imagemagick7

CVE-2026-4247Shared CWE-401

CVE-2026-20105Shared CWE-401

CVE-2025-25199Shared CWE-401

CVE-2026-3650Shared CWE-401

References

https://github.com/MolotovCherry/Android-ImageMagick7/pull/191
Issue Tracking · cve_disclosure@tech.gov.sg