CVE-2026-3707 is a medium-severity integer overflow vulnerability found in the MrNanko webp4j library, specifically affecting versions 1.0 through 1.3.x. The vulnerability exists in the DecodeGifFromMemory function located in src/main/c/gif_decoder.c, where manipulation of the canvas_height parameter leads to an integer overflow. This overflow can cause memory corruption, potentially resulting in undefined behavior including crashes or code execution. The attack vector requires local access with low privileges, and no user interaction or authentication beyond local access is necessary. The vulnerability does not involve network attack vectors, limiting remote exploitation. The exploit code is publicly available, increasing the risk of exploitation in environments where the library is used. The patch identified by commit 89771b201c66d15d29e4cc016d8aae82b6a5fbe1 addresses the integer overflow by properly validating and handling the canvas_height parameter to prevent overflow conditions. The vulnerability impacts confidentiality, integrity, and availability due to the possibility of memory corruption. However, the limited attack vector and requirement for local access reduce the overall severity. The vulnerability is relevant to any software or systems embedding the webp4j library for GIF decoding, especially in local or embedded contexts.

The integer overflow vulnerability in webp4j can lead to memory corruption, which may cause application crashes or potentially allow an attacker to execute arbitrary code with the privileges of the affected process. Since exploitation requires local access, the risk is primarily to systems where untrusted users have local accounts or can execute code locally. The impact spans confidentiality, integrity, and availability, as memory corruption can be leveraged to read sensitive data, modify program behavior, or cause denial of service. Organizations using webp4j in development environments, embedded systems, or local applications are at risk. The availability of public exploit code increases the likelihood of exploitation attempts. However, the lack of remote attack vector limits the threat to local environments. Failure to patch could lead to privilege escalation or persistent compromise in multi-user systems. The medium CVSS score reflects the balance between potential impact and limited attack vector.

To mitigate CVE-2026-3707, organizations should promptly apply the official patch identified by commit 89771b201c66d15d29e4cc016d8aae82b6a5fbe1 that corrects the integer overflow in the DecodeGifFromMemory function. Additionally, restrict local access to systems running webp4j to trusted users only, minimizing the risk of exploitation by unprivileged users. Employ application whitelisting and endpoint protection to detect and prevent execution of unauthorized code locally. Conduct code audits and static analysis on any custom software embedding webp4j to ensure no unsafe usage of the vulnerable function remains. Monitor system logs for unusual crashes or behavior indicative of exploitation attempts. If possible, isolate or sandbox applications using webp4j to limit the impact of potential memory corruption. Finally, maintain up-to-date backups to recover from any denial-of-service or data integrity incidents resulting from exploitation.