CVE-2026-33855
Integer Overflow in Android-ImageMagick7 Before
Publication date: 2026-03-24
Last updated on: 2026-03-26
Assigner: Government Technology Agency of Singapore Cyber Security Group (GovTech CSG)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| molotovcherry | android-imagemagick7 | to 7.1.2-11 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-190 | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Integer Overflow or Wraparound issue found in the MolotovCherry Android-ImageMagick7 software, specifically affecting versions before 7.1.2-11.
The problem occurs in the AllocateDataSet() function within the liblcms2-2.9/src/cmscgats.c file, which was cloned from the Little-CMS project but initially lacked a critical security patch.
This flaw relates to improper handling of memory allocation for CGATS data, which can lead to security issues such as integer overflow or wraparound.
The vulnerability was fixed by applying a patch from the original Little-CMS project that improves memory allocation handling to prevent this issue.
How can this vulnerability impact me? :
This vulnerability has a CVSS base score of 5.5, indicating a moderate severity.
It requires local access (AV:L) and low attack complexity (AC:L), with no privileges required (PR:N) but user interaction is needed (UI:R).
The impact is primarily on availability (A:H), meaning it can cause denial of service or crash the application, but it does not affect confidentiality or integrity.
Therefore, an attacker could potentially cause the application to become unavailable or unstable by exploiting this integer overflow.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update MolotovCherry Android-ImageMagick7 to version 7.1.2-11 or later, which includes the security fix.
The fix involves applying a patch to the AllocateDataSet() function in the liblcms2-2.9/src/cmscgats.c file, improving memory allocation handling to prevent the integer overflow or wraparound issue.
This patch was merged into the MolotovCherry/Android-ImageMagick7 repository on December 19, 2025, so upgrading to the fixed version or applying the patch manually is recommended.