CVE-2026-3707 is a medium severity integer overflow vulnerability found in the MrNanko webp4j library, affecting versions 1.0 through 1.3.x. The vulnerability exists in the DecodeGifFromMemory function located in src/main/c/gif_decoder.c, where manipulation of the canvas_height parameter can cause an integer overflow. This overflow can lead to memory corruption, potentially resulting in application crashes or undefined behavior. The vulnerability requires local access with low privileges (PR:L) and does not require user interaction (UI:N). The CVSS 4.0 vector indicates low attack complexity and partial impact on confidentiality, integrity, and availability. The exploit code is publicly available, increasing the risk of exploitation, although no active exploitation has been reported. The patch identified by commit 89771b201c66d15d29e4cc016d8aae82b6a5fbe1 addresses the issue by correcting the integer overflow handling. This vulnerability is particularly relevant for applications or services that rely on webp4j for GIF decoding, especially in environments where local users have access to the system. Proper patching and code review are essential to prevent exploitation.

The primary impact of this vulnerability is potential memory corruption due to integer overflow, which can cause application crashes or denial of service conditions. While the vulnerability requires local access, an attacker with low privileges could exploit it to disrupt service availability or potentially execute arbitrary code if combined with other vulnerabilities or conditions. This could affect the stability and reliability of applications using webp4j for GIF decoding, leading to service interruptions or data integrity issues. Organizations relying on this library in multi-user or shared environments may face increased risk if untrusted users have local access. Although the confidentiality impact is limited, the integrity and availability of affected systems could be compromised. The presence of publicly available exploit code increases the likelihood of exploitation attempts, especially in environments where patching is delayed.

1. Apply the official patch identified by commit 89771b201c66d15d29e4cc016d8aae82b6a5fbe1 immediately to all affected versions of webp4j (1.0 through 1.3.x). 2. Restrict local access to systems running applications that utilize webp4j to trusted users only, minimizing the risk of exploitation. 3. Conduct code audits and input validation reviews around the DecodeGifFromMemory function and related GIF processing code to ensure no other integer overflow or memory handling issues exist. 4. Implement runtime protections such as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) to mitigate potential exploitation impact. 5. Monitor logs and system behavior for unusual crashes or memory errors related to GIF decoding activities. 6. Educate developers and system administrators about the importance of timely patching and secure coding practices for image processing libraries. 7. If feasible, consider sandboxing or isolating the GIF decoding functionality to limit the blast radius of potential exploitation.