CVE-2026-33856
Received Received - Intake
Use-After-Free Memory Vulnerability in Android-ImageMagick7 Before

Publication date: 2026-03-24

Last updated on: 2026-03-26

Assigner: Government Technology Agency of Singapore Cyber Security Group (GovTech CSG)

Description
Missing Release of Memory after Effective Lifetime vulnerability in MolotovCherry Android-ImageMagick7.This issue affects Android-ImageMagick7: before 7.1.2-11.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-24
Last Modified
2026-03-26
Generated
2026-06-16
AI Q&A
2026-03-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33856
EUVD
EUVD-2026-14762
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
molotovcherry android-imagemagick7 to 7.1.2-11 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-401 The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a missing release of memory issue in the Android-ImageMagick7 project, specifically in a cloned function from the libxml2 library called xmlParseBalancedChunkMemoryRecover().

The problem occurs because the cloned function did not receive an important security patch that was applied upstream in the original libxml2 code. When certain conditions happen, such as when the doc parameter is NULL, a namespace is created and bound to a variable, but later freeing the document without properly releasing this namespace causes a memory leak.

This memory leak can lead to resource exhaustion or instability in the affected software until the patch from the original libxml2 repository was applied to Android-ImageMagick7 to fix the issue.

Impact Analysis

This vulnerability can impact you by causing a memory leak in the Android-ImageMagick7 software, which may lead to increased memory usage and potential denial of service due to resource exhaustion.

Since the CVSS score rates the impact on availability as high (A:H) but no impact on confidentiality or integrity, the main risk is that the affected system or application could become unstable or crash, disrupting normal operations.

Compliance Impact

I don't know

Detection Guidance

This vulnerability relates to a missing release of memory in the function xmlParseBalancedChunkMemoryRecover() within the Android-ImageMagick7 project. Detection would involve identifying the presence of the vulnerable version of Android-ImageMagick7 (before 7.1.2-11) on your system.

You can check the installed version of Android-ImageMagick7 by running commands that query the package version or inspecting the binary version information.

  • For Linux-based systems, use: `dpkg -l | grep android-imagemagick7` or `rpm -qa | grep android-imagemagick7`
  • If the software is built from source or embedded, check the version string with: `android-imagemagick7 --version` or similar command.

Since this vulnerability is a memory leak triggered by specific XML parsing code, network detection is not straightforward. Monitoring for unusual memory usage or crashes in processes using Android-ImageMagick7 might help indicate exploitation attempts.

Mitigation Strategies

The immediate mitigation step is to update Android-ImageMagick7 to version 7.1.2-11 or later, where the vulnerability has been fixed by applying the security patch from the original libxml2 project.

If updating is not immediately possible, consider restricting or monitoring the use of XML parsing features in Android-ImageMagick7 to reduce exposure.

Additionally, monitor system memory usage and application stability to detect potential exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33856. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart