CVE-2026-4756
Out-of-Bounds Write in Android-ImageMagick7 Before
Publication date: 2026-03-24
Last updated on: 2026-03-26
Assigner: Government Technology Agency of Singapore Cyber Security Group (GovTech CSG)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| molotovcherry | android-imagemagick7 | to 7.1.2-11 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-4756 is an out-of-bounds write vulnerability in the `decomp()` function of the Android-ImageMagick7 project. This vulnerability arises because the `decomp()` function was cloned from the libjpeg-turbo library version 2.0.2 without including a critical security patch that fixed an integer overflow issue.
The integer overflow occurs when decompressing very large images (larger than approximately 715,827,882 pixels), which can cause the program to calculate incorrect memory sizes, leading to out-of-bounds memory access and potential memory corruption.
This vulnerability was fixed by applying the original libjpeg-turbo patch that prevents the signed integer overflow during image decompression, ensuring safe handling of large images.
How can this vulnerability impact me? :
This vulnerability can lead to out-of-bounds memory writes during image decompression, which may cause memory corruption, crashes (segmentation faults), or potentially allow an attacker to execute arbitrary code.
Because the vulnerability affects the integrity and availability of the system processing large images, it poses a high risk, as indicated by its CVSS score of 7.8 with high impact on confidentiality, integrity, and availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability in CVE-2026-4756 is an integer overflow and out-of-bounds write in the decomp() function of Android-ImageMagick7, specifically when decompressing very large images. Detection would involve identifying usage of vulnerable versions of Android-ImageMagick7 (before 7.1.2-11) and monitoring for crashes or segmentation faults during image decompression.
Since the issue is triggered by decompressing images larger than approximately 715,827,882 pixels, one detection approach is to test the system by decompressing large images and observing for abnormal behavior or crashes.
There are no specific commands provided in the resources for direct detection or scanning. However, you can check the installed version of Android-ImageMagick7 to see if it is before 7.1.2-11, for example:
- Check the installed package version (example for Linux): `dpkg -l | grep android-imagemagick7` or `rpm -qa | grep android-imagemagick7`
- Monitor logs for segmentation faults or crashes related to image decompression processes.
- If you have access to the source or binaries, verify if the security patch from libjpeg-turbo commit `c30b1e7` has been applied.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update Android-ImageMagick7 to version 7.1.2-11 or later, where the security patch from libjpeg-turbo has been applied to fix the integer overflow and out-of-bounds write in the decomp() function.
If updating is not immediately possible, avoid decompressing very large images (larger than approximately 715,827,882 pixels) using the vulnerable versions to reduce the risk of triggering the overflow.
Additionally, monitor your systems for crashes or abnormal behavior during image decompression and apply any vendor-provided patches or updates as soon as they become available.