CVE-2026-1464 – An integer overflow vulnerability in the Apache... (How to Fix)

Q: What is the severity of CVE-2026-1464?

CVE-2026-1464 has a CVSS score of N/A (Unknown). An integer overflow vulnerability in the Apache Commons Compress TarUtils module used by AppManager allows attackers to cause denial of service or potentially execute arbitrary code by crafting malicious TAR archives. This affects all AppManager users running versions before 4.0.4.

📋 TL;DR

An integer overflow vulnerability in the Apache Commons Compress TarUtils module used by AppManager allows attackers to cause denial of service or potentially execute arbitrary code by crafting malicious TAR archives. This affects all AppManager users running versions before 4.0.4.

💻 Affected Systems

Products:

MuntashirAkon AppManager

Versions: All versions before 4.0.4

Operating Systems: Android (primary), potentially other platforms where AppManager runs

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the embedded Apache Commons Compress library's TarUtils module when processing TAR archives.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if the integer overflow enables memory corruption that can be leveraged for arbitrary code execution.

🟠

Likely Case

Application crash or denial of service when processing specially crafted TAR archives, potentially disrupting AppManager functionality.

🟢

If Mitigated

Limited impact with proper input validation and memory protections, potentially reduced to application instability rather than compromise.

🌐 Internet-Facing: MEDIUM - Exploitation requires processing malicious TAR archives, which could be delivered via various channels but requires user interaction or specific attack vectors.

🏢 Internal Only: MEDIUM - Similar risk profile as internet-facing, but attack surface may be more limited depending on internal controls.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires crafting malicious TAR archives and getting them processed by the vulnerable component. No public exploit code has been identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.0.4

Vendor Advisory: https://github.com/MuntashirAkon/AppManager/pull/1598

Restart Required: Yes

Instructions:

1. Update AppManager to version 4.0.4 or later from the official GitHub repository or trusted app store. 2. Restart the application after update. 3. Verify the update was successful by checking the version number.

🔧 Temporary Workarounds

Disable TAR archive processing

all

Prevent AppManager from processing TAR archives if this functionality is not required

Not applicable - configuration change within AppManager settings

Use external TAR utilities

all

Configure AppManager to use external, trusted TAR utilities instead of the built-in vulnerable component

Configuration dependent on AppManager settings

🧯 If You Can't Patch

Implement strict input validation for TAR archives before processing
Use application sandboxing or containerization to limit potential impact

🔍 How to Verify

Check if Vulnerable:

Check AppManager version in app settings or via 'adb shell dumpsys package org.muntashirakon.AppManager | grep versionName'

Check Version:

adb shell dumpsys package org.muntashirakon.AppManager | grep versionName

Verify Fix Applied:

Confirm AppManager version is 4.0.4 or higher using the same version check command

📡 Detection & Monitoring

Log Indicators:

Application crashes when processing TAR archives
Unusual memory allocation patterns in AppManager logs
Stack traces mentioning TarUtils or integer overflow

Network Indicators:

Downloads of TAR archives to AppManager
Unusual network traffic patterns during TAR processing

SIEM Query:

source="AppManager" AND (event="crash" OR event="exception") AND (message="*TarUtils*" OR message="*integer overflow*")

📊 Metadata

CVE ID: CVE-2026-1464

CVSS v3 Score: N/A (Unknown)

CWE: CWE-190

EPSS Score: 0.02% exploit probability (4.3th percentile)

Published: January 27, 2026

Last Updated: January 27, 2026

🔗 References

https://github.com/MuntashirAkon/AppManager/pull/1598

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1464, you might also want to check these: