CVE-2026-33853
Null Pointer Dereference in Android-ImageMagick7 Before
Publication date: 2026-03-24
Last updated on: 2026-03-26
Assigner: Government Technology Agency of Singapore Cyber Security Group (GovTech CSG)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| molotovcherry | android-imagemagick7 | to 7.1.2-10 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33853 is a NULL Pointer Dereference vulnerability found in the function jpeg_skip_scanlines() within a cloned version of the libjpeg-turbo library used by the Android-ImageMagick7 project. This vulnerability occurs because the cloned code did not include an important security patch present in the original libjpeg-turbo repository. When merged upsampling is used during JPEG processing, this flaw can cause a segmentation fault (segfault), leading to a crash or unexpected behavior.
The issue was fixed by backporting the missing security patch from the original libjpeg-turbo repository to the cloned code in Android-ImageMagick7, correcting how scanline skipping is handled in the vulnerable function.
How can this vulnerability impact me? :
This vulnerability can cause the affected application to crash due to a segmentation fault when processing JPEG images with merged upsampling. Such crashes can lead to denial of service conditions, potentially disrupting normal operation of applications relying on Android-ImageMagick7 for image processing.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability causes a segmentation fault (segfault) in the function jpeg_skip_scanlines() during JPEG processing with merged upsampling. Detection can involve monitoring for crashes or segfaults in the Android-ImageMagick7 application when processing JPEG images.
There are no specific commands provided in the available resources to detect this vulnerability directly.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed by applying the security patch that backports the fix from the original libjpeg-turbo repository to the Android-ImageMagick7 project. Immediate mitigation involves updating Android-ImageMagick7 to version 7.1.2-10 or later, which includes the patch correcting the jpeg_skip_scanlines() function.