Cyber Resilience

CVE-2026-33853

Medium

Published: 24 March 2026

Published
24 March 2026
Modified
26 March 2026
KEV Added
Patch
CVSS Score v3.1 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
EPSS Score 0.0003 9.8th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33853 is a medium-severity NULL Pointer Dereference (CWE-476) vulnerability in Molotovcherry Android-Imagemagick7. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 9.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-33853 is a NULL Pointer Dereference vulnerability (CWE-476) in the MolotovCherry Android-ImageMagick7 library. This issue affects Android-ImageMagick7 versions before 7.1.2-10.

The vulnerability carries a CVSS v3.1 base score of 5.5 (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H). A local attacker requires no privileges but needs user interaction, such as tricking a victim into opening or processing a specially crafted image file within an application using the library. Successful exploitation leads to a denial of service, causing the affected application to crash with high availability impact and no confidentiality or integrity effects.

Mitigation is addressed in Android-ImageMagick7 version 7.1.2-10. Patch details are available in the GitHub pull request at https://github.com/MolotovCherry/Android-ImageMagick7/pull/183.

EU & UK References

Vulnerability details

NULL Pointer Dereference vulnerability in MolotovCherry Android-ImageMagick7.This issue affects Android-ImageMagick7: before 7.1.2-10.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

NULL dereference in image library directly enables crafted malicious image file (T1204.002) to trigger application crash via exploitation (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-33856Same product: Molotovcherry Android-Imagemagick7
CVE-2026-33855Same product: Molotovcherry Android-Imagemagick7
CVE-2026-33854Same product: Molotovcherry Android-Imagemagick7
CVE-2026-4755Same product: Molotovcherry Android-Imagemagick7
CVE-2026-33852Same product: Molotovcherry Android-Imagemagick7
CVE-2026-4756Same product: Molotovcherry Android-Imagemagick7
CVE-2026-31792Shared CWE-476
CVE-2026-21680Shared CWE-476
CVE-2026-40413Shared CWE-476
CVE-2025-57155Shared CWE-476

Affected Assets

molotovcherry
android-imagemagick7
≤ 7.1.2-10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely remediation of identified flaws, directly mitigating this NULL pointer dereference by applying the patch available in Android-ImageMagick7 version 7.1.2-10.

prevent

SI-11 enforces secure error handling to manage NULL pointer conditions gracefully, preventing application crashes from denial-of-service exploitation.

prevent

SI-10 validates image file inputs prior to processing, blocking specially crafted files that trigger the NULL pointer dereference vulnerability.

References