Skip to content
Threat Feed
medium advisory

Android-ImageMagick7 Memory Leak Vulnerability (CVE-2026-33856)

A missing release of memory after effective lifetime vulnerability exists in MolotovCherry Android-ImageMagick7 before version 7.1.2-11, potentially leading to denial of service.

CVE-2026-33856 describes a memory leak vulnerability affecting MolotovCherry Android-ImageMagick7 versions prior to 7.1.2-11. This vulnerability, classified as a Missing Release of Memory after Effective Lifetime (CWE-401), could be exploited by a malicious actor to cause a denial-of-service condition. The vulnerability resides within the Android-ImageMagick7 library, a port of ImageMagick to the Android platform. An attacker could potentially trigger the memory leak by submitting crafted image files for processing, exhausting available memory resources, and ultimately crashing the application or device. Defenders should prioritize patching vulnerable versions of Android-ImageMagick7.

Attack Chain

  1. Attacker crafts a malicious image file specifically designed to trigger the memory leak in Android-ImageMagick7.
  2. The attacker deploys the malicious image to a web server or other publicly accessible location.
  3. A user downloads an application that utilizes the vulnerable Android-ImageMagick7 library.
  4. The user visits a website or opens an application that loads the attacker's crafted image file using Android-ImageMagick7.
  5. Android-ImageMagick7 processes the image file, allocating memory for image operations.
  6. Due to the vulnerability (CWE-401), the allocated memory is not properly released after it's no longer needed, leading to a memory leak.
  7. Repeated processing of similar malicious images progressively consumes available memory.
  8. The system eventually runs out of memory, causing the application to crash or the entire Android device to become unresponsive (Denial of Service).

Impact

Successful exploitation of CVE-2026-33856 can lead to a denial-of-service condition on affected Android devices. While the provided information doesn't specify the number of victims or targeted sectors, the impact is significant for applications relying on Android-ImageMagick7 for image processing. An attacker could potentially disrupt services and cause data loss due to application crashes.

Recommendation

  • Upgrade Android-ImageMagick7 to version 7.1.2-11 or later to remediate CVE-2026-33856 (reference: CVE-2026-33856).
  • Monitor applications that use Android-ImageMagick7 for excessive memory consumption that could indicate exploitation of this vulnerability.
  • Deploy the Sigma rules below to detect suspicious process creation related to image processing that may indicate exploitation.
  • Implement input validation on image files processed by Android-ImageMagick7 to prevent processing of maliciously crafted files.

Detection coverage 2

Detect ImageMagick Process Spawning from Web Server

medium

Detects ImageMagick processes being spawned from web server processes, which could indicate exploitation of image processing vulnerabilities.

sigma tactics: resource_development techniques: T1588.006 sources: process_creation, linux

Detect Excessive Memory Usage by ImageMagick

low

Detects ImageMagick processes consuming a large amount of memory, potentially indicating a memory leak vulnerability exploitation.

sigma tactics: availability techniques: T1499.002 sources: process_creation, linux

Detection queries are available on the platform. Get full rules →