CVE-2026-3707
Received Received - Intake
Integer Overflow in MrNanko webp4j DecodeGifFromMemory Function

Publication date: 2026-03-08

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was identified in MrNanko webp4j up to 1.3.x. The affected element is the function DecodeGifFromMemory of the file src/main/c/gif_decoder.c. Such manipulation of the argument canvas_height leads to integer overflow. Local access is required to approach this attack. The exploit is publicly available and might be used. The name of the patch is 89771b201c66d15d29e4cc016d8aae82b6a5fbe1. It is advisable to implement a patch to correct this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-08
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3707
EUVD
EUVD-2026-10214
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mrnanko webp4j to 1.3.x (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-189
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-3707 is a heap buffer overflow vulnerability in the MrNanko webp4j library, specifically in the DecodeGifFromMemory() function within the src/main/c/gif_decoder.c file. The vulnerability arises due to an integer overflow when calculating the canvas buffer size for GIF images.

The function calculates the canvas size using 32-bit signed integer arithmetic as canvas_width * canvas_height * 4. When both width and height are set to 46341 (values controlled by an attacker via the GIF Logical Screen Descriptor), the multiplication overflows the 32-bit integer limit. Instead of allocating about 8.5 GB of memory, the overflow causes malloc to allocate only about 18 KB.

Subsequently, the ClearCanvas() function attempts to write the full 8.5 GB of data into this small buffer, causing a massive heap buffer overflow. This leads to memory corruption, crashes (such as JVM crashes with segmentation faults), and potentially remote code execution.

The vulnerability can be triggered remotely by submitting a crafted 35-byte malicious GIF file with oversized dimensions, making the attack low cost and practical. The root cause is the lack of proper overflow checks and the use of 32-bit signed integers for size calculations.

Impact Analysis

This vulnerability can have several serious impacts on affected systems using the webp4j library for GIF to WebP conversion:

  • Remote Denial of Service (DoS): An attacker can upload a crafted GIF file that triggers the heap buffer overflow, causing the native code and JVM to crash, resulting in service disruption.
  • Potential Remote Code Execution: The heap overflow can corrupt memory, which might be exploited to execute arbitrary code remotely, compromising system integrity and security.
  • Application Crashes: The overflow causes segmentation faults in native code, leading to instability and crashes of applications relying on webp4j.
  • Affected Services: Any service performing GIF to WebP conversion, such as image CDNs, content management systems, social media backends, or image optimization platforms, could be vulnerable.

Overall, the vulnerability threatens confidentiality, integrity, and availability of systems using the affected library.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by monitoring for crashes or abnormal behavior in applications using the webp4j library when processing GIF files, especially if they handle GIF to WebP conversion. Specifically, look for segmentation faults (SIGSEGV) or JVM crashes related to the native code in the GIF decoding process.

Detection can also involve analyzing GIF files being processed or uploaded to the system for suspicious Logical Screen Descriptor dimensions, particularly width and height values set to 46341, which trigger the integer overflow.

Since the exploit involves a crafted 35-byte GIF file with oversized dimensions, you can detect attempts by inspecting network traffic or file uploads for GIF files with unusual Logical Screen Descriptor values.

Suggested commands or steps include:

  • Use file inspection tools or scripts to parse GIF headers and check Logical Screen Descriptor width and height fields for values >= 46341.
  • Monitor application logs and system logs for crashes or segmentation faults related to webp4j or native GIF decoding libraries.
  • Use debugging tools like gdb or JVM crash logs to analyze native crashes in the GIF decoding functions.
  • Example command to inspect GIF header dimensions (using a custom script or tool): extract bytes 6-9 from the GIF file and interpret as little-endian 16-bit integers for width and height.
Mitigation Strategies

The primary immediate mitigation step is to apply the official patch identified by commit 89771b201c66d15d29e4cc016d8aae82b6a5fbe1, which fixes the integer overflow by using size_t types for buffer size calculations and adding proper overflow checks.

If patching is not immediately possible, restrict or validate GIF file uploads or inputs to ensure that Logical Screen Descriptor width and height values do not exceed safe limits (e.g., less than 46341).

Additionally, monitor and limit local access to systems running vulnerable versions of webp4j to reduce the risk of local exploitation.

Consider updating to a fixed or newer version of the webp4j library that includes the patch.

Implement runtime protections such as sandboxing or memory protection mechanisms to mitigate the impact of potential heap buffer overflows.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3707. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart