Executive Summary

CVE-2026-33853 is a NULL Pointer Dereference vulnerability found in the function jpeg_skip_scanlines() within a cloned version of the libjpeg-turbo library used by the Android-ImageMagick7 project. This vulnerability occurs because the cloned code did not include an important security patch present in the original libjpeg-turbo repository. When merged upsampling is used during JPEG processing, this flaw can cause a segmentation fault (segfault), leading to a crash or unexpected behavior.

The issue was fixed by backporting the missing security patch from the original libjpeg-turbo repository to the cloned code in Android-ImageMagick7, correcting how scanline skipping is handled in the vulnerable function.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause the affected application to crash due to a segmentation fault when processing JPEG images with merged upsampling. Such crashes can lead to denial of service conditions, potentially disrupting normal operation of applications relying on Android-ImageMagick7 for image processing.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability causes a segmentation fault (segfault) in the function jpeg_skip_scanlines() during JPEG processing with merged upsampling. Detection can involve monitoring for crashes or segfaults in the Android-ImageMagick7 application when processing JPEG images.

There are no specific commands provided in the available resources to detect this vulnerability directly.

Useful 0 Not Useful 0

Mitigation Strategies

The vulnerability is fixed by applying the security patch that backports the fix from the original libjpeg-turbo repository to the Android-ImageMagick7 project. Immediate mitigation involves updating Android-ImageMagick7 to version 7.1.2-10 or later, which includes the patch correcting the jpeg_skip_scanlines() function.

Useful 0 Not Useful 0