CVE-2026-33853
Published: 24 March 2026
Summary
CVE-2026-33853 is a medium-severity NULL Pointer Dereference (CWE-476) vulnerability in Molotovcherry Android-Imagemagick7. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 9.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-33853 is a NULL Pointer Dereference vulnerability (CWE-476) in the MolotovCherry Android-ImageMagick7 library. This issue affects Android-ImageMagick7 versions before 7.1.2-10.
The vulnerability carries a CVSS v3.1 base score of 5.5 (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H). A local attacker requires no privileges but needs user interaction, such as tricking a victim into opening or processing a specially crafted image file within an application using the library. Successful exploitation leads to a denial of service, causing the affected application to crash with high availability impact and no confidentiality or integrity effects.
Mitigation is addressed in Android-ImageMagick7 version 7.1.2-10. Patch details are available in the GitHub pull request at https://github.com/MolotovCherry/Android-ImageMagick7/pull/183.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-14756
Vulnerability details
NULL Pointer Dereference vulnerability in MolotovCherry Android-ImageMagick7.This issue affects Android-ImageMagick7: before 7.1.2-10.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
NULL dereference in image library directly enables crafted malicious image file (T1204.002) to trigger application crash via exploitation (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires timely remediation of identified flaws, directly mitigating this NULL pointer dereference by applying the patch available in Android-ImageMagick7 version 7.1.2-10.
SI-11 enforces secure error handling to manage NULL pointer conditions gracefully, preventing application crashes from denial-of-service exploitation.
SI-10 validates image file inputs prior to processing, blocking specially crafted files that trigger the NULL pointer dereference vulnerability.