{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1464", "assignerOrgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "state": "PUBLISHED", "assignerShortName": "GovTech CSG", "dateReserved": "2026-01-27T07:58:56.403Z", "datePublished": "2026-01-27T08:18:17.832Z", "dateUpdated": "2026-01-27T21:39:51.512Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://github.com/MuntashirAkon/AppManager", "defaultStatus": "affected", "modules": ["app/src/main/java/org/apache/commons/compress/archivers/tar"], "product": "AppManager", "programFiles": ["TarUtils.java"], "vendor": "MuntashirAkon", "versions": [{"lessThan": "4.0.4", "status": "affected", "version": "0", "versionType": "git"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "TITAN Team (titancaproject@gmail.com)"}], "datePublic": "2026-01-27T08:18:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Integer Overflow or Wraparound vulnerability in MuntashirAkon AppManager (app/src/main/java/org/apache/commons/compress/archivers/tar modules).<p> This vulnerability is associated with program files <tt>TarUtils.Java</tt>.</p><p>This issue affects AppManager: before 4.0.4.</p>"}], "value": "Integer Overflow or Wraparound vulnerability in MuntashirAkon AppManager (app/src/main/java/org/apache/commons/compress/archivers/tar modules). This vulnerability is associated with program files TarUtils.Java.\n\nThis issue affects AppManager: before 4.0.4."}], "metrics": [{"cvssV4_0": {"Automatable": "YES", "Recovery": "USER", "Safety": "NEGLIGIBLE", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "baseScore": 4.6, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "AMBER", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/S:N/AU:Y/R:U/V:C/RE:L/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "LOW"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-190", "description": "CWE-190 Integer Overflow or Wraparound", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "shortName": "GovTech CSG", "dateUpdated": "2026-01-27T08:18:17.832Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/MuntashirAkon/AppManager/pull/1598"}], "source": {"discovery": "UNKNOWN"}, "title": "A possible integer overflow vulnerability in RawTherapee/RawTherapee", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-27T21:10:26.420693Z", "id": "CVE-2026-1464", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T21:39:51.512Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1464", "assignerOrgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "state": "PUBLISHED", "assignerShortName": "GovTech CSG", "dateReserved": "2026-01-27T07:58:56.403Z", "datePublished": "2026-01-27T08:18:17.832Z", "dateUpdated": "2026-01-27T21:39:51.512Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://github.com/MuntashirAkon/AppManager", "defaultStatus": "affected", "modules": ["app/src/main/java/org/apache/commons/compress/archivers/tar"], "product": "AppManager", "programFiles": ["TarUtils.java"], "vendor": "MuntashirAkon", "versions": [{"lessThan": "4.0.4", "status": "affected", "version": "0", "versionType": "git"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "TITAN Team (titancaproject@gmail.com)"}], "datePublic": "2026-01-27T08:18:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Integer Overflow or Wraparound vulnerability in MuntashirAkon AppManager (app/src/main/java/org/apache/commons/compress/archivers/tar modules).<p> This vulnerability is associated with program files <tt>TarUtils.Java</tt>.</p><p>This issue affects AppManager: before 4.0.4.</p>"}], "value": "Integer Overflow or Wraparound vulnerability in MuntashirAkon AppManager (app/src/main/java/org/apache/commons/compress/archivers/tar modules). This vulnerability is associated with program files TarUtils.Java.\n\nThis issue affects AppManager: before 4.0.4."}], "metrics": [{"cvssV4_0": {"Automatable": "YES", "Recovery": "USER", "Safety": "NEGLIGIBLE", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "baseScore": 4.6, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "AMBER", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/S:N/AU:Y/R:U/V:C/RE:L/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "LOW"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-190", "description": "CWE-190 Integer Overflow or Wraparound", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "shortName": "GovTech CSG", "dateUpdated": "2026-01-27T08:18:17.832Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/MuntashirAkon/AppManager/pull/1598"}], "source": {"discovery": "UNKNOWN"}, "title": "A possible integer overflow vulnerability in RawTherapee/RawTherapee", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1464", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-27T21:10:26.420693Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T21:10:29.692Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Integer Overflow or Wraparound vulnerability in MuntashirAkon AppManager (app/src/main/java/org/apache/commons/compress/archivers/tar modules). This vulnerability is associated with program files TarUtils.Java.\n\nThis issue affects AppManager: before 4.0.4."}, {"lang": "es", "value": "Vulnerabilidad de desbordamiento de entero o ajuste circular en MuntashirAkon AppManager (m\u00f3dulos app/src/main/java/org/apache/commons/compress/archivers/tar). Esta vulnerabilidad est\u00e1 asociada con los archivos de programa TarUtils.Java. Este problema afecta a AppManager: antes de la 4.0.4."}], "id": "CVE-2026-1464", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "YES", "Recovery": "USER", "Safety": "NEGLIGIBLE", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "AMBER", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:C/RE:L/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "LOW"}, "source": "cve_disclosure@tech.gov.sg", "type": "Secondary"}]}, "published": "2026-01-27T09:15:48.080", "references": [{"source": "cve_disclosure@tech.gov.sg", "url": "https://github.com/MuntashirAkon/AppManager/pull/1598"}], "sourceIdentifier": "cve_disclosure@tech.gov.sg", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}], "source": "cve_disclosure@tech.gov.sg", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T18:49:06.925193+00:00", "value": {"mitigation_remediation": ["Upgrade AppManager to version 4.0.4 or newer to eliminate the integer overflow flaw.", "Apply the patch referenced in pull request 1598 if using a source build of the application.", "Restrict processing of TAR archives to trusted inputs and implement checks to ensure that size calculations fall within integer bounds to mitigate the overflow risk."], "summary": {"action": "Patch Upgrade", "impact": "Potential memory corruption or denial of service"}, "threat_synthesis": {"affected_systems": "The vulnerability affects AppManager versions before 4.0.4. It involves the TarUtils.java file within the application's tar handling modules. Users running older releases of the application are at risk if they process untrusted TAR archives.", "description_and_impact": "An integer overflow or wraparound vulnerability exists in the TarUtils module of MuntashirAkon AppManager, specifically in org.apache.commons.compress.archivers.tar. The flaw arises when processing TAR archive files and can cause incorrect calculation of buffer sizes. This leads to potential memory corruption, application crashes, or denial of service. The weakness is classified as CWE-190, representing integer overflows.", "risk_and_exploitability": "The CVSS score of 4.6 indicates a low to moderate severity, while the EPSS score of less than 1% signals a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, further reducing immediate threat. Exploitation would likely require an attacker to supply a malicious TAR file to the application, which suggests a local or user\u2011supplied vector. Given the current metrics, the immediate risk is low, but securing the application through updates or mitigations is prudent."}}}}, "created": "2026-01-27T20:16:52.951220+00:00", "updated": "2026-04-18T19:00:08.034261+00:00", "vendors": ["muntashirakon", "muntashirakon$PRODUCT$appmanager"]}