CVE-2026-33853
Received Received - Intake

Null Pointer Dereference in Android-ImageMagick7 Before

Vulnerability report for CVE-2026-33853, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-24

Last updated on: 2026-03-26

Assigner: Government Technology Agency of Singapore Cyber Security Group (GovTech CSG)

Description

NULL Pointer Dereference vulnerability in MolotovCherry Android-ImageMagick7.This issue affects Android-ImageMagick7: before 7.1.2-10.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-24
Last Modified
2026-03-26
Generated
2026-07-06
AI Q&A
2026-03-24
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
molotovcherry android-imagemagick7 to 7.1.2-10 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-33853 is a NULL Pointer Dereference vulnerability found in the function jpeg_skip_scanlines() within a cloned version of the libjpeg-turbo library used by the Android-ImageMagick7 project. This vulnerability occurs because the cloned code did not include an important security patch present in the original libjpeg-turbo repository. When merged upsampling is used during JPEG processing, this flaw can cause a segmentation fault (segfault), leading to a crash or unexpected behavior.

The issue was fixed by backporting the missing security patch from the original libjpeg-turbo repository to the cloned code in Android-ImageMagick7, correcting how scanline skipping is handled in the vulnerable function.

Impact Analysis

This vulnerability can cause the affected application to crash due to a segmentation fault when processing JPEG images with merged upsampling. Such crashes can lead to denial of service conditions, potentially disrupting normal operation of applications relying on Android-ImageMagick7 for image processing.

Compliance Impact

I don't know

Detection Guidance

This vulnerability causes a segmentation fault (segfault) in the function jpeg_skip_scanlines() during JPEG processing with merged upsampling. Detection can involve monitoring for crashes or segfaults in the Android-ImageMagick7 application when processing JPEG images.

There are no specific commands provided in the available resources to detect this vulnerability directly.

Mitigation Strategies

The vulnerability is fixed by applying the security patch that backports the fix from the original libjpeg-turbo repository to the Android-ImageMagick7 project. Immediate mitigation involves updating Android-ImageMagick7 to version 7.1.2-10 or later, which includes the patch correcting the jpeg_skip_scanlines() function.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33853. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart