CVE-2026-3707
Integer Overflow in MrNanko webp4j DecodeGifFromMemory Function
Publication date: 2026-03-08
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mrnanko | webp4j | to 1.3.x (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-189 | |
| CWE-190 | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-3707 is a heap buffer overflow vulnerability in the MrNanko webp4j library, specifically in the DecodeGifFromMemory() function within the src/main/c/gif_decoder.c file. The vulnerability arises due to an integer overflow when calculating the canvas buffer size for GIF images.
The function calculates the canvas size using 32-bit signed integer arithmetic as canvas_width * canvas_height * 4. When both width and height are set to 46341 (values controlled by an attacker via the GIF Logical Screen Descriptor), the multiplication overflows the 32-bit integer limit. Instead of allocating about 8.5 GB of memory, the overflow causes malloc to allocate only about 18 KB.
Subsequently, the ClearCanvas() function attempts to write the full 8.5 GB of data into this small buffer, causing a massive heap buffer overflow. This leads to memory corruption, crashes (such as JVM crashes with segmentation faults), and potentially remote code execution.
The vulnerability can be triggered remotely by submitting a crafted 35-byte malicious GIF file with oversized dimensions, making the attack low cost and practical. The root cause is the lack of proper overflow checks and the use of 32-bit signed integers for size calculations.
How can this vulnerability impact me? :
This vulnerability can have several serious impacts on affected systems using the webp4j library for GIF to WebP conversion:
- Remote Denial of Service (DoS): An attacker can upload a crafted GIF file that triggers the heap buffer overflow, causing the native code and JVM to crash, resulting in service disruption.
- Potential Remote Code Execution: The heap overflow can corrupt memory, which might be exploited to execute arbitrary code remotely, compromising system integrity and security.
- Application Crashes: The overflow causes segmentation faults in native code, leading to instability and crashes of applications relying on webp4j.
- Affected Services: Any service performing GIF to WebP conversion, such as image CDNs, content management systems, social media backends, or image optimization platforms, could be vulnerable.
Overall, the vulnerability threatens confidentiality, integrity, and availability of systems using the affected library.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or abnormal behavior in applications using the webp4j library when processing GIF files, especially if they handle GIF to WebP conversion. Specifically, look for segmentation faults (SIGSEGV) or JVM crashes related to the native code in the GIF decoding process.
Detection can also involve analyzing GIF files being processed or uploaded to the system for suspicious Logical Screen Descriptor dimensions, particularly width and height values set to 46341, which trigger the integer overflow.
Since the exploit involves a crafted 35-byte GIF file with oversized dimensions, you can detect attempts by inspecting network traffic or file uploads for GIF files with unusual Logical Screen Descriptor values.
Suggested commands or steps include:
- Use file inspection tools or scripts to parse GIF headers and check Logical Screen Descriptor width and height fields for values >= 46341.
- Monitor application logs and system logs for crashes or segmentation faults related to webp4j or native GIF decoding libraries.
- Use debugging tools like gdb or JVM crash logs to analyze native crashes in the GIF decoding functions.
- Example command to inspect GIF header dimensions (using a custom script or tool): extract bytes 6-9 from the GIF file and interpret as little-endian 16-bit integers for width and height.
What immediate steps should I take to mitigate this vulnerability?
The primary immediate mitigation step is to apply the official patch identified by commit 89771b201c66d15d29e4cc016d8aae82b6a5fbe1, which fixes the integer overflow by using size_t types for buffer size calculations and adding proper overflow checks.
If patching is not immediately possible, restrict or validate GIF file uploads or inputs to ensure that Logical Screen Descriptor width and height values do not exceed safe limits (e.g., less than 46341).
Additionally, monitor and limit local access to systems running vulnerable versions of webp4j to reduce the risk of local exploitation.
Consider updating to a fixed or newer version of the webp4j library that includes the patch.
Implement runtime protections such as sandboxing or memory protection mechanisms to mitigate the impact of potential heap buffer overflows.