Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
20 vulnerabilities by golang.org/x/image
CVE-2026-46602 (GCVE-0-2026-46602)
Vulnerability from cvelistv5 – Published: 2026-06-25 19:47 – Updated: 2026-06-26 16:07
VLAI
Title
Lack of limit on tile sizes in x/image/tiff in golang.org/x/image
Summary
The TIFF decoder does not set a limit on the size of tiles in tiled images, permitting a malicious or corrupt image containing a very large tile to cause unbounded memory consumption.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-789 - Memory Allocation with Excessive Size Value
Assigner
References
3 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| golang.org/x/image | golang.org/x/image/tiff |
Affected:
0 , < 0.43.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-46602",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-26T16:05:58.046352Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T16:07:00.792Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/image/tiff",
"product": "golang.org/x/image/tiff",
"programRoutines": [
{
"name": "Decode"
}
],
"vendor": "golang.org/x/image",
"versions": [
{
"lessThan": "0.43.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Prasanna Dabi (GitHub: prasanna8585)"
}
],
"descriptions": [
{
"lang": "en",
"value": "The TIFF decoder does not set a limit on the size of tiles in tiled images, permitting a malicious or corrupt image containing a very large tile to cause unbounded memory consumption."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-789: Memory Allocation with Excessive Size Value",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T19:47:21.690Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/788422"
},
{
"url": "https://go.dev/issue/79905"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-5062"
}
],
"title": "Lack of limit on tile sizes in x/image/tiff in golang.org/x/image"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-46602",
"datePublished": "2026-06-25T19:47:21.690Z",
"dateReserved": "2026-05-15T17:35:00.814Z",
"dateUpdated": "2026-06-26T16:07:00.792Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46601 (GCVE-0-2026-46601)
Vulnerability from cvelistv5 – Published: 2026-06-25 19:47 – Updated: 2026-06-26 16:09
VLAI
Title
Panic on VP8 alpha channel size mismatch in x/image/webp in golang.org/x/image
Summary
The webp decoder can panic when processing a VP8 chunk with dimensions that do not match the canvas size.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
3 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| golang.org/x/image | golang.org/x/image/webp |
Affected:
0 , < 0.43.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-46601",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-26T16:08:56.631719Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T16:09:18.573Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/image/webp",
"product": "golang.org/x/image/webp",
"programRoutines": [
{
"name": "decode"
},
{
"name": "Decode"
},
{
"name": "DecodeConfig"
}
],
"vendor": "golang.org/x/image",
"versions": [
{
"lessThan": "0.43.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/image/webp",
"product": "golang.org/x/image/webp",
"vendor": "golang.org/x/image",
"versions": [
{
"lessThan": "0.43.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Lucas Futures (GitHub: gn00295120)"
}
],
"descriptions": [
{
"lang": "en",
"value": "The webp decoder can panic when processing a VP8 chunk with dimensions that do not match the canvas size."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-125: Out-of-bounds Read",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T19:47:21.500Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/787681"
},
{
"url": "https://go.dev/issue/79869"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-5061"
}
],
"title": "Panic on VP8 alpha channel size mismatch in x/image/webp in golang.org/x/image"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-46601",
"datePublished": "2026-06-25T19:47:21.500Z",
"dateReserved": "2026-05-15T17:35:00.814Z",
"dateUpdated": "2026-06-26T16:09:18.573Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-46599 (GCVE-0-2026-46599)
Vulnerability from cvelistv5 – Published: 2026-05-29 19:35 – Updated: 2026-06-01 14:44
VLAI
Title
Excessive resource consumption in PackBits decompression in golang.org/x/image/tiff
Summary
The TIFF decoder does not place a limit on the size of PackBits-compressed data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height and encoded size) to make the decoder decode large amounts of compressed data.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| golang.org/x/image | golang.org/x/image/tiff |
Affected:
0 , < 0.41.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-46599",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T14:43:59.743802Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T14:44:03.725Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/image/tiff",
"product": "golang.org/x/image/tiff",
"programRoutines": [
{
"name": "unpackBits"
},
{
"name": "Decode"
}
],
"vendor": "golang.org/x/image",
"versions": [
{
"lessThan": "0.41.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Uuganbayar Lkhamsuren"
}
],
"descriptions": [
{
"lang": "en",
"value": "The TIFF decoder does not place a limit on the size of PackBits-compressed data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height and encoded size) to make the decoder decode large amounts of compressed data."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T19:35:33.539Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/issue/79577"
},
{
"url": "https://go.dev/cl/759960"
},
{
"url": "https://groups.google.com/g/golang-announce/c/uhYX90BlBvI"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-5032"
}
],
"title": "Excessive resource consumption in PackBits decompression in golang.org/x/image/tiff"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-46599",
"datePublished": "2026-05-29T19:35:33.539Z",
"dateReserved": "2026-05-15T17:35:00.813Z",
"dateUpdated": "2026-06-01T14:44:03.725Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42500 (GCVE-0-2026-42500)
Vulnerability from cvelistv5 – Published: 2026-05-29 18:36 – Updated: 2026-05-29 19:51
VLAI
Title
Panic when reading out of bound palette index in golang.org/x/image/bmp
Summary
Decoding a paletted BMP file with an out-of-range palette index results in a panic when accessing pixels in the invalid image.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-129 - Improper Validation of Array Index
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| golang.org/x/image | golang.org/x/image/bmp |
Affected:
0 , < 0.41.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-42500",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T19:51:07.816824Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T19:51:38.147Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/image/bmp",
"product": "golang.org/x/image/bmp",
"programRoutines": [
{
"name": "decodePaletted"
},
{
"name": "Decode"
}
],
"vendor": "golang.org/x/image",
"versions": [
{
"lessThan": "0.41.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Decoding a paletted BMP file with an out-of-range palette index results in a panic when accessing pixels in the invalid image."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-129: Improper Validation of Array Index",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T18:36:28.283Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/issue/79576"
},
{
"url": "https://groups.google.com/g/golang-announce/c/uhYX90BlBvI"
},
{
"url": "https://go.dev/cl/781500"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-5031"
}
],
"title": "Panic when reading out of bound palette index in golang.org/x/image/bmp"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-42500",
"datePublished": "2026-05-29T18:36:28.283Z",
"dateReserved": "2026-04-28T00:21:12.791Z",
"dateUpdated": "2026-05-29T19:51:38.147Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33812 (GCVE-0-2026-33812)
Vulnerability from cvelistv5 – Published: 2026-04-21 19:21 – Updated: 2026-04-21 20:43
VLAI
Title
Excessive memory allocation when decoding malicious SFNT in golang.org/x/image
Summary
Parsing a malicious font file can cause excessive memory allocation.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-789 - Memory Allocation with Excessive Size Value
Assigner
References
3 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| golang.org/x/image | golang.org/x/image/font/sfnt |
Affected:
0 , < 0.39.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-33812",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-21T20:43:08.370574Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T20:43:11.915Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/image/font/sfnt",
"product": "golang.org/x/image/font/sfnt",
"programRoutines": [
{
"name": "source.view"
},
{
"name": "Collection.Font"
},
{
"name": "Font.GlyphAdvance"
},
{
"name": "Font.GlyphBounds"
},
{
"name": "Font.GlyphIndex"
},
{
"name": "Font.GlyphName"
},
{
"name": "Font.Kern"
},
{
"name": "Font.LoadGlyph"
},
{
"name": "Font.Name"
},
{
"name": "Font.WriteSourceTo"
},
{
"name": "Parse"
},
{
"name": "ParseCollection"
},
{
"name": "ParseCollectionReaderAt"
},
{
"name": "ParseReaderAt"
}
],
"vendor": "golang.org/x/image",
"versions": [
{
"lessThan": "0.39.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Andy Gill, ZephrSec Ltd"
}
],
"descriptions": [
{
"lang": "en",
"value": "Parsing a malicious font file can cause excessive memory allocation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-789: Memory Allocation with Excessive Size Value",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T19:21:28.556Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/761180"
},
{
"url": "https://go.dev/issue/78382"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-4962"
}
],
"title": "Excessive memory allocation when decoding malicious SFNT in golang.org/x/image"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-33812",
"datePublished": "2026-04-21T19:21:28.556Z",
"dateReserved": "2026-03-23T20:35:32.814Z",
"dateUpdated": "2026-04-21T20:43:11.915Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33813 (GCVE-0-2026-33813)
Vulnerability from cvelistv5 – Published: 2026-04-21 19:21 – Updated: 2026-06-25 19:47
VLAI
Title
Panic when decoding large WEBP image on 32-bit platforms in golang.org/x/image
Summary
Parsing a WEBP image with an invalid, large size panics on 32-bit platforms.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-190 - Integer Overflow or Wraparound
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| golang.org/x/image | golang.org/x/image/webp |
Affected:
0 , < 0.42.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-33813",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T15:23:43.643284Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T15:34:46.427Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/image/webp",
"product": "golang.org/x/image/webp",
"programRoutines": [
{
"name": "decode"
},
{
"name": "Decode"
},
{
"name": "DecodeConfig"
}
],
"vendor": "golang.org/x/image",
"versions": [
{
"lessThan": "0.42.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Tristan Madani"
}
],
"descriptions": [
{
"lang": "en",
"value": "Parsing a WEBP image with an invalid, large size panics on 32-bit platforms."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-190: Integer Overflow or Wraparound",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T19:47:15.561Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/759860"
},
{
"url": "https://go.dev/cl/780860"
},
{
"url": "https://go.dev/issue/78407"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-4961"
}
],
"title": "Panic when decoding large WEBP image on 32-bit platforms in golang.org/x/image"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-33813",
"datePublished": "2026-04-21T19:21:27.644Z",
"dateReserved": "2026-03-23T20:35:32.814Z",
"dateUpdated": "2026-06-25T19:47:15.561Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33809 (GCVE-0-2026-33809)
Vulnerability from cvelistv5 – Published: 2026-03-25 18:24 – Updated: 2026-04-06 21:12
VLAI
Title
OOM from malicious IFD offset in golang.org/x/image/tiff
Summary
A maliciously crafted TIFF file can cause image decoding to attempt to allocate up 4GiB of memory, causing either excessive resource consumption or an out-of-memory error.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
3 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| golang.org/x/image | golang.org/x/image/tiff |
Affected:
0 , < 0.38.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-33809",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-25T20:05:32.763729Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T20:05:50.620Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/image/tiff",
"product": "golang.org/x/image/tiff",
"programRoutines": [
{
"name": "buffer.fill"
},
{
"name": "buffer.ReadAt"
},
{
"name": "Decode"
},
{
"name": "DecodeConfig"
},
{
"name": "buffer.Slice"
}
],
"vendor": "golang.org/x/image",
"versions": [
{
"lessThan": "0.38.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Andy Gill, ZephrSec Ltd"
}
],
"descriptions": [
{
"lang": "en",
"value": "A maliciously crafted TIFF file can cause image decoding to attempt to allocate up 4GiB of memory, causing either excessive resource consumption or an out-of-memory error."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T21:12:56.092Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/757660"
},
{
"url": "https://go.dev/issue/78267"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-4815"
}
],
"title": "OOM from malicious IFD offset in golang.org/x/image/tiff"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-33809",
"datePublished": "2026-03-25T18:24:04.222Z",
"dateReserved": "2026-03-23T20:35:32.813Z",
"dateUpdated": "2026-04-06T21:12:56.092Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-24792 (GCVE-0-2024-24792)
Vulnerability from cvelistv5 – Published: 2024-06-27 17:37 – Updated: 2024-08-01 23:28
VLAI
Title
Panic when parsing invalid palette-color images in golang.org/x/image
Summary
Parsing a corrupt or malicious image with invalid color indices can cause a panic.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
3 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| golang.org/x/image | golang.org/x/image/tiff |
Affected:
0 , < 0.18.0
(semver)
|
|
| golang | image |
Affected:
0 , < 0.18.0
(semver)
cpe:2.3:a:golang:image:*:*:*:*:*:go:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:golang:image:*:*:*:*:*:go:*:*"
],
"defaultStatus": "unknown",
"product": "image",
"vendor": "golang",
"versions": [
{
"lessThan": "0.18.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-24792",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-17T15:53:18.409742Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-18T15:22:35.789Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:28:12.747Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/cl/588115"
},
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/issue/67624"
},
{
"tags": [
"x_transferred"
],
"url": "https://pkg.go.dev/vuln/GO-2024-2937"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/image/tiff",
"product": "golang.org/x/image/tiff",
"programRoutines": [
{
"name": "decoder.decode"
},
{
"name": "Decode"
}
],
"vendor": "golang.org/x/image",
"versions": [
{
"lessThan": "0.18.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "John Wright \u003cjsw@google.com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"value": "Parsing a corrupt or malicious image with invalid color indices can cause a panic."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-125: Out-of-bounds Read",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-27T17:37:38.560Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/588115"
},
{
"url": "https://go.dev/issue/67624"
},
{
"url": "https://pkg.go.dev/vuln/GO-2024-2937"
}
],
"title": "Panic when parsing invalid palette-color images in golang.org/x/image"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2024-24792",
"datePublished": "2024-06-27T17:37:38.560Z",
"dateReserved": "2024-01-30T16:05:14.758Z",
"dateUpdated": "2024-08-01T23:28:12.747Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-29407 (GCVE-0-2023-29407)
Vulnerability from cvelistv5 – Published: 2023-08-02 19:52 – Updated: 2025-02-13 16:49
VLAI
Title
Excessive CPU consumption when decoding 0-height images in golang.org/x/image/tiff
Summary
A maliciously-crafted image can cause excessive CPU consumption in decoding. A tiled image with a height of 0 and a very large width can cause excessive CPU consumption, despite the image size (width * height) appearing to be zero.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-834 - Excessive Iteration
Assigner
References
7 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| golang.org/x/image | golang.org/x/image/tiff |
Affected:
0 , < 0.10.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:07:45.991Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/issue/61581"
},
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/cl/514897"
},
{
"tags": [
"x_transferred"
],
"url": "https://pkg.go.dev/vuln/GO-2023-1990"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20230831-0009/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KO54NBDUJXKAZNGCFOEYL2LKK2RQP6K6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWH6Q7NVM4MV3GWFEU4PA67AWZHVFJQ2/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XZTEP6JYILRBNDTNWTEQ5D4QUUVQBESK/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-29407",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-17T18:44:33.694059Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-17T18:44:42.693Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/image/tiff",
"product": "golang.org/x/image/tiff",
"programRoutines": [
{
"name": "newDecoder"
},
{
"name": "Decode"
},
{
"name": "DecodeConfig"
}
],
"vendor": "golang.org/x/image",
"versions": [
{
"lessThan": "0.10.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Philippe Antoine (Catena cyber)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A maliciously-crafted image can cause excessive CPU consumption in decoding. A tiled image with a height of 0 and a very large width can cause excessive CPU consumption, despite the image size (width * height) appearing to be zero."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-834: Excessive Iteration",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-03T20:07:03.078Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/issue/61581"
},
{
"url": "https://go.dev/cl/514897"
},
{
"url": "https://pkg.go.dev/vuln/GO-2023-1990"
},
{
"url": "https://security.netapp.com/advisory/ntap-20230831-0009/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KO54NBDUJXKAZNGCFOEYL2LKK2RQP6K6/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWH6Q7NVM4MV3GWFEU4PA67AWZHVFJQ2/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XZTEP6JYILRBNDTNWTEQ5D4QUUVQBESK/"
}
],
"title": "Excessive CPU consumption when decoding 0-height images in golang.org/x/image/tiff"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2023-29407",
"datePublished": "2023-08-02T19:52:53.482Z",
"dateReserved": "2023-04-05T19:36:35.043Z",
"dateUpdated": "2025-02-13T16:49:15.196Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-29408 (GCVE-0-2023-29408)
Vulnerability from cvelistv5 – Published: 2023-08-02 19:52 – Updated: 2025-02-13 16:49
VLAI
Title
Excessive resource consumption in golang.org/x/image/tiff
Summary
The TIFF decoder does not place a limit on the size of compressed tile data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height, and encoded size) to make the decoder decode large amounts of compressed data, consuming excessive memory and CPU.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
7 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| golang.org/x/image | golang.org/x/image/tiff |
Affected:
0 , < 0.10.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:07:45.865Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/issue/61582"
},
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/cl/514897"
},
{
"tags": [
"x_transferred"
],
"url": "https://pkg.go.dev/vuln/GO-2023-1989"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20230831-0009/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KO54NBDUJXKAZNGCFOEYL2LKK2RQP6K6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWH6Q7NVM4MV3GWFEU4PA67AWZHVFJQ2/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XZTEP6JYILRBNDTNWTEQ5D4QUUVQBESK/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-29408",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-17T18:46:10.965305Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-17T18:46:21.200Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/image/tiff",
"product": "golang.org/x/image/tiff",
"programRoutines": [
{
"name": "newDecoder"
},
{
"name": "Decode"
},
{
"name": "DecodeConfig"
}
],
"vendor": "golang.org/x/image",
"versions": [
{
"lessThan": "0.10.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Philippe Antoine (Catena cyber)"
}
],
"descriptions": [
{
"lang": "en",
"value": "The TIFF decoder does not place a limit on the size of compressed tile data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height, and encoded size) to make the decoder decode large amounts of compressed data, consuming excessive memory and CPU."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-03T20:07:04.860Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/issue/61582"
},
{
"url": "https://go.dev/cl/514897"
},
{
"url": "https://pkg.go.dev/vuln/GO-2023-1989"
},
{
"url": "https://security.netapp.com/advisory/ntap-20230831-0009/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KO54NBDUJXKAZNGCFOEYL2LKK2RQP6K6/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWH6Q7NVM4MV3GWFEU4PA67AWZHVFJQ2/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XZTEP6JYILRBNDTNWTEQ5D4QUUVQBESK/"
}
],
"title": "Excessive resource consumption in golang.org/x/image/tiff"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2023-29408",
"datePublished": "2023-08-02T19:52:48.613Z",
"dateReserved": "2023-04-05T19:36:35.043Z",
"dateUpdated": "2025-02-13T16:49:15.755Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-41727 (GCVE-0-2022-41727)
Vulnerability from cvelistv5 – Published: 2023-02-28 17:19 – Updated: 2025-03-07 17:55
VLAI
Title
Denial of service via crafted TIFF image in golang.org/x/image/tiff
Summary
An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This could lead to a denial of service.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
7 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| golang.org/x/image | golang.org/x/image/tiff |
Affected:
0 , < 0.5.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:49:43.923Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/issue/58003"
},
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/cl/468195"
},
{
"tags": [
"x_transferred"
],
"url": "https://groups.google.com/g/golang-announce/c/ag-FiyjlD5o"
},
{
"tags": [
"x_transferred"
],
"url": "https://pkg.go.dev/vuln/GO-2023-1572"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KO54NBDUJXKAZNGCFOEYL2LKK2RQP6K6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWH6Q7NVM4MV3GWFEU4PA67AWZHVFJQ2/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XZTEP6JYILRBNDTNWTEQ5D4QUUVQBESK/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-41727",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-07T17:55:30.387522Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-07T17:55:51.961Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/image/tiff",
"product": "golang.org/x/image/tiff",
"programRoutines": [
{
"name": "decoder.ifdUint"
},
{
"name": "newDecoder"
},
{
"name": "Decode"
},
{
"name": "DecodeConfig"
}
],
"vendor": "golang.org/x/image",
"versions": [
{
"lessThan": "0.5.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Philippe Antoine (Catena cyber)"
},
{
"lang": "en",
"value": "OSS Fuzz"
}
],
"descriptions": [
{
"lang": "en",
"value": "An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This could lead to a denial of service."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-03T20:07:01.203Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/issue/58003"
},
{
"url": "https://go.dev/cl/468195"
},
{
"url": "https://groups.google.com/g/golang-announce/c/ag-FiyjlD5o"
},
{
"url": "https://pkg.go.dev/vuln/GO-2023-1572"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KO54NBDUJXKAZNGCFOEYL2LKK2RQP6K6/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWH6Q7NVM4MV3GWFEU4PA67AWZHVFJQ2/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XZTEP6JYILRBNDTNWTEQ5D4QUUVQBESK/"
}
],
"title": "Denial of service via crafted TIFF image in golang.org/x/image/tiff"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2022-41727",
"datePublished": "2023-02-28T17:19:47.090Z",
"dateReserved": "2022-09-28T17:03:42.049Z",
"dateUpdated": "2025-03-07T17:55:51.961Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-46599 (GCVE-0-2026-46599)
Vulnerability from nvd – Published: 2026-05-29 19:35 – Updated: 2026-06-01 14:44
VLAI
Title
Excessive resource consumption in PackBits decompression in golang.org/x/image/tiff
Summary
The TIFF decoder does not place a limit on the size of PackBits-compressed data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height and encoded size) to make the decoder decode large amounts of compressed data.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| golang.org/x/image | golang.org/x/image/tiff |
Affected:
0 , < 0.41.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-46599",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T14:43:59.743802Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T14:44:03.725Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/image/tiff",
"product": "golang.org/x/image/tiff",
"programRoutines": [
{
"name": "unpackBits"
},
{
"name": "Decode"
}
],
"vendor": "golang.org/x/image",
"versions": [
{
"lessThan": "0.41.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Uuganbayar Lkhamsuren"
}
],
"descriptions": [
{
"lang": "en",
"value": "The TIFF decoder does not place a limit on the size of PackBits-compressed data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height and encoded size) to make the decoder decode large amounts of compressed data."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T19:35:33.539Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/issue/79577"
},
{
"url": "https://go.dev/cl/759960"
},
{
"url": "https://groups.google.com/g/golang-announce/c/uhYX90BlBvI"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-5032"
}
],
"title": "Excessive resource consumption in PackBits decompression in golang.org/x/image/tiff"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-46599",
"datePublished": "2026-05-29T19:35:33.539Z",
"dateReserved": "2026-05-15T17:35:00.813Z",
"dateUpdated": "2026-06-01T14:44:03.725Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42500 (GCVE-0-2026-42500)
Vulnerability from nvd – Published: 2026-05-29 18:36 – Updated: 2026-05-29 19:51
VLAI
Title
Panic when reading out of bound palette index in golang.org/x/image/bmp
Summary
Decoding a paletted BMP file with an out-of-range palette index results in a panic when accessing pixels in the invalid image.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-129 - Improper Validation of Array Index
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| golang.org/x/image | golang.org/x/image/bmp |
Affected:
0 , < 0.41.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-42500",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T19:51:07.816824Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T19:51:38.147Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/image/bmp",
"product": "golang.org/x/image/bmp",
"programRoutines": [
{
"name": "decodePaletted"
},
{
"name": "Decode"
}
],
"vendor": "golang.org/x/image",
"versions": [
{
"lessThan": "0.41.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Decoding a paletted BMP file with an out-of-range palette index results in a panic when accessing pixels in the invalid image."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-129: Improper Validation of Array Index",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T18:36:28.283Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/issue/79576"
},
{
"url": "https://groups.google.com/g/golang-announce/c/uhYX90BlBvI"
},
{
"url": "https://go.dev/cl/781500"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-5031"
}
],
"title": "Panic when reading out of bound palette index in golang.org/x/image/bmp"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-42500",
"datePublished": "2026-05-29T18:36:28.283Z",
"dateReserved": "2026-04-28T00:21:12.791Z",
"dateUpdated": "2026-05-29T19:51:38.147Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33813 (GCVE-0-2026-33813)
Vulnerability from nvd – Published: 2026-04-21 19:21 – Updated: 2026-06-25 19:47
VLAI
Title
Panic when decoding large WEBP image on 32-bit platforms in golang.org/x/image
Summary
Parsing a WEBP image with an invalid, large size panics on 32-bit platforms.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-190 - Integer Overflow or Wraparound
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| golang.org/x/image | golang.org/x/image/webp |
Affected:
0 , < 0.42.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-33813",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T15:23:43.643284Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T15:34:46.427Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/image/webp",
"product": "golang.org/x/image/webp",
"programRoutines": [
{
"name": "decode"
},
{
"name": "Decode"
},
{
"name": "DecodeConfig"
}
],
"vendor": "golang.org/x/image",
"versions": [
{
"lessThan": "0.42.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Tristan Madani"
}
],
"descriptions": [
{
"lang": "en",
"value": "Parsing a WEBP image with an invalid, large size panics on 32-bit platforms."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-190: Integer Overflow or Wraparound",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T19:47:15.561Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/759860"
},
{
"url": "https://go.dev/cl/780860"
},
{
"url": "https://go.dev/issue/78407"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-4961"
}
],
"title": "Panic when decoding large WEBP image on 32-bit platforms in golang.org/x/image"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-33813",
"datePublished": "2026-04-21T19:21:27.644Z",
"dateReserved": "2026-03-23T20:35:32.814Z",
"dateUpdated": "2026-06-25T19:47:15.561Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33812 (GCVE-0-2026-33812)
Vulnerability from nvd – Published: 2026-04-21 19:21 – Updated: 2026-04-21 20:43
VLAI
Title
Excessive memory allocation when decoding malicious SFNT in golang.org/x/image
Summary
Parsing a malicious font file can cause excessive memory allocation.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-789 - Memory Allocation with Excessive Size Value
Assigner
References
3 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| golang.org/x/image | golang.org/x/image/font/sfnt |
Affected:
0 , < 0.39.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-33812",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-21T20:43:08.370574Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T20:43:11.915Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/image/font/sfnt",
"product": "golang.org/x/image/font/sfnt",
"programRoutines": [
{
"name": "source.view"
},
{
"name": "Collection.Font"
},
{
"name": "Font.GlyphAdvance"
},
{
"name": "Font.GlyphBounds"
},
{
"name": "Font.GlyphIndex"
},
{
"name": "Font.GlyphName"
},
{
"name": "Font.Kern"
},
{
"name": "Font.LoadGlyph"
},
{
"name": "Font.Name"
},
{
"name": "Font.WriteSourceTo"
},
{
"name": "Parse"
},
{
"name": "ParseCollection"
},
{
"name": "ParseCollectionReaderAt"
},
{
"name": "ParseReaderAt"
}
],
"vendor": "golang.org/x/image",
"versions": [
{
"lessThan": "0.39.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Andy Gill, ZephrSec Ltd"
}
],
"descriptions": [
{
"lang": "en",
"value": "Parsing a malicious font file can cause excessive memory allocation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-789: Memory Allocation with Excessive Size Value",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-21T19:21:28.556Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/761180"
},
{
"url": "https://go.dev/issue/78382"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-4962"
}
],
"title": "Excessive memory allocation when decoding malicious SFNT in golang.org/x/image"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-33812",
"datePublished": "2026-04-21T19:21:28.556Z",
"dateReserved": "2026-03-23T20:35:32.814Z",
"dateUpdated": "2026-04-21T20:43:11.915Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33809 (GCVE-0-2026-33809)
Vulnerability from nvd – Published: 2026-03-25 18:24 – Updated: 2026-04-06 21:12
VLAI
Title
OOM from malicious IFD offset in golang.org/x/image/tiff
Summary
A maliciously crafted TIFF file can cause image decoding to attempt to allocate up 4GiB of memory, causing either excessive resource consumption or an out-of-memory error.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
3 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| golang.org/x/image | golang.org/x/image/tiff |
Affected:
0 , < 0.38.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-33809",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-25T20:05:32.763729Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T20:05:50.620Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/image/tiff",
"product": "golang.org/x/image/tiff",
"programRoutines": [
{
"name": "buffer.fill"
},
{
"name": "buffer.ReadAt"
},
{
"name": "Decode"
},
{
"name": "DecodeConfig"
},
{
"name": "buffer.Slice"
}
],
"vendor": "golang.org/x/image",
"versions": [
{
"lessThan": "0.38.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Andy Gill, ZephrSec Ltd"
}
],
"descriptions": [
{
"lang": "en",
"value": "A maliciously crafted TIFF file can cause image decoding to attempt to allocate up 4GiB of memory, causing either excessive resource consumption or an out-of-memory error."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-06T21:12:56.092Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/757660"
},
{
"url": "https://go.dev/issue/78267"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-4815"
}
],
"title": "OOM from malicious IFD offset in golang.org/x/image/tiff"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2026-33809",
"datePublished": "2026-03-25T18:24:04.222Z",
"dateReserved": "2026-03-23T20:35:32.813Z",
"dateUpdated": "2026-04-06T21:12:56.092Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-24792 (GCVE-0-2024-24792)
Vulnerability from nvd – Published: 2024-06-27 17:37 – Updated: 2024-08-01 23:28
VLAI
Title
Panic when parsing invalid palette-color images in golang.org/x/image
Summary
Parsing a corrupt or malicious image with invalid color indices can cause a panic.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
3 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| golang.org/x/image | golang.org/x/image/tiff |
Affected:
0 , < 0.18.0
(semver)
|
|
| golang | image |
Affected:
0 , < 0.18.0
(semver)
cpe:2.3:a:golang:image:*:*:*:*:*:go:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:golang:image:*:*:*:*:*:go:*:*"
],
"defaultStatus": "unknown",
"product": "image",
"vendor": "golang",
"versions": [
{
"lessThan": "0.18.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-24792",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-17T15:53:18.409742Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-18T15:22:35.789Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:28:12.747Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/cl/588115"
},
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/issue/67624"
},
{
"tags": [
"x_transferred"
],
"url": "https://pkg.go.dev/vuln/GO-2024-2937"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/image/tiff",
"product": "golang.org/x/image/tiff",
"programRoutines": [
{
"name": "decoder.decode"
},
{
"name": "Decode"
}
],
"vendor": "golang.org/x/image",
"versions": [
{
"lessThan": "0.18.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "John Wright \u003cjsw@google.com\u003e"
}
],
"descriptions": [
{
"lang": "en",
"value": "Parsing a corrupt or malicious image with invalid color indices can cause a panic."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-125: Out-of-bounds Read",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-27T17:37:38.560Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/588115"
},
{
"url": "https://go.dev/issue/67624"
},
{
"url": "https://pkg.go.dev/vuln/GO-2024-2937"
}
],
"title": "Panic when parsing invalid palette-color images in golang.org/x/image"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2024-24792",
"datePublished": "2024-06-27T17:37:38.560Z",
"dateReserved": "2024-01-30T16:05:14.758Z",
"dateUpdated": "2024-08-01T23:28:12.747Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-29407 (GCVE-0-2023-29407)
Vulnerability from nvd – Published: 2023-08-02 19:52 – Updated: 2025-02-13 16:49
VLAI
Title
Excessive CPU consumption when decoding 0-height images in golang.org/x/image/tiff
Summary
A maliciously-crafted image can cause excessive CPU consumption in decoding. A tiled image with a height of 0 and a very large width can cause excessive CPU consumption, despite the image size (width * height) appearing to be zero.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-834 - Excessive Iteration
Assigner
References
7 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| golang.org/x/image | golang.org/x/image/tiff |
Affected:
0 , < 0.10.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:07:45.991Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/issue/61581"
},
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/cl/514897"
},
{
"tags": [
"x_transferred"
],
"url": "https://pkg.go.dev/vuln/GO-2023-1990"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20230831-0009/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KO54NBDUJXKAZNGCFOEYL2LKK2RQP6K6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWH6Q7NVM4MV3GWFEU4PA67AWZHVFJQ2/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XZTEP6JYILRBNDTNWTEQ5D4QUUVQBESK/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-29407",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-17T18:44:33.694059Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-17T18:44:42.693Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/image/tiff",
"product": "golang.org/x/image/tiff",
"programRoutines": [
{
"name": "newDecoder"
},
{
"name": "Decode"
},
{
"name": "DecodeConfig"
}
],
"vendor": "golang.org/x/image",
"versions": [
{
"lessThan": "0.10.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Philippe Antoine (Catena cyber)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A maliciously-crafted image can cause excessive CPU consumption in decoding. A tiled image with a height of 0 and a very large width can cause excessive CPU consumption, despite the image size (width * height) appearing to be zero."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-834: Excessive Iteration",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-03T20:07:03.078Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/issue/61581"
},
{
"url": "https://go.dev/cl/514897"
},
{
"url": "https://pkg.go.dev/vuln/GO-2023-1990"
},
{
"url": "https://security.netapp.com/advisory/ntap-20230831-0009/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KO54NBDUJXKAZNGCFOEYL2LKK2RQP6K6/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWH6Q7NVM4MV3GWFEU4PA67AWZHVFJQ2/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XZTEP6JYILRBNDTNWTEQ5D4QUUVQBESK/"
}
],
"title": "Excessive CPU consumption when decoding 0-height images in golang.org/x/image/tiff"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2023-29407",
"datePublished": "2023-08-02T19:52:53.482Z",
"dateReserved": "2023-04-05T19:36:35.043Z",
"dateUpdated": "2025-02-13T16:49:15.196Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-29408 (GCVE-0-2023-29408)
Vulnerability from nvd – Published: 2023-08-02 19:52 – Updated: 2025-02-13 16:49
VLAI
Title
Excessive resource consumption in golang.org/x/image/tiff
Summary
The TIFF decoder does not place a limit on the size of compressed tile data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height, and encoded size) to make the decoder decode large amounts of compressed data, consuming excessive memory and CPU.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
7 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| golang.org/x/image | golang.org/x/image/tiff |
Affected:
0 , < 0.10.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:07:45.865Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/issue/61582"
},
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/cl/514897"
},
{
"tags": [
"x_transferred"
],
"url": "https://pkg.go.dev/vuln/GO-2023-1989"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20230831-0009/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KO54NBDUJXKAZNGCFOEYL2LKK2RQP6K6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWH6Q7NVM4MV3GWFEU4PA67AWZHVFJQ2/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XZTEP6JYILRBNDTNWTEQ5D4QUUVQBESK/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-29408",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-17T18:46:10.965305Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-17T18:46:21.200Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/image/tiff",
"product": "golang.org/x/image/tiff",
"programRoutines": [
{
"name": "newDecoder"
},
{
"name": "Decode"
},
{
"name": "DecodeConfig"
}
],
"vendor": "golang.org/x/image",
"versions": [
{
"lessThan": "0.10.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Philippe Antoine (Catena cyber)"
}
],
"descriptions": [
{
"lang": "en",
"value": "The TIFF decoder does not place a limit on the size of compressed tile data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height, and encoded size) to make the decoder decode large amounts of compressed data, consuming excessive memory and CPU."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-03T20:07:04.860Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/issue/61582"
},
{
"url": "https://go.dev/cl/514897"
},
{
"url": "https://pkg.go.dev/vuln/GO-2023-1989"
},
{
"url": "https://security.netapp.com/advisory/ntap-20230831-0009/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KO54NBDUJXKAZNGCFOEYL2LKK2RQP6K6/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWH6Q7NVM4MV3GWFEU4PA67AWZHVFJQ2/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XZTEP6JYILRBNDTNWTEQ5D4QUUVQBESK/"
}
],
"title": "Excessive resource consumption in golang.org/x/image/tiff"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2023-29408",
"datePublished": "2023-08-02T19:52:48.613Z",
"dateReserved": "2023-04-05T19:36:35.043Z",
"dateUpdated": "2025-02-13T16:49:15.755Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-41727 (GCVE-0-2022-41727)
Vulnerability from nvd – Published: 2023-02-28 17:19 – Updated: 2025-03-07 17:55
VLAI
Title
Denial of service via crafted TIFF image in golang.org/x/image/tiff
Summary
An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This could lead to a denial of service.
Severity
No CVSS data available.
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
7 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| golang.org/x/image | golang.org/x/image/tiff |
Affected:
0 , < 0.5.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:49:43.923Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/issue/58003"
},
{
"tags": [
"x_transferred"
],
"url": "https://go.dev/cl/468195"
},
{
"tags": [
"x_transferred"
],
"url": "https://groups.google.com/g/golang-announce/c/ag-FiyjlD5o"
},
{
"tags": [
"x_transferred"
],
"url": "https://pkg.go.dev/vuln/GO-2023-1572"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KO54NBDUJXKAZNGCFOEYL2LKK2RQP6K6/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWH6Q7NVM4MV3GWFEU4PA67AWZHVFJQ2/"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XZTEP6JYILRBNDTNWTEQ5D4QUUVQBESK/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-41727",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-07T17:55:30.387522Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-07T17:55:51.961Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "golang.org/x/image/tiff",
"product": "golang.org/x/image/tiff",
"programRoutines": [
{
"name": "decoder.ifdUint"
},
{
"name": "newDecoder"
},
{
"name": "Decode"
},
{
"name": "DecodeConfig"
}
],
"vendor": "golang.org/x/image",
"versions": [
{
"lessThan": "0.5.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Philippe Antoine (Catena cyber)"
},
{
"lang": "en",
"value": "OSS Fuzz"
}
],
"descriptions": [
{
"lang": "en",
"value": "An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This could lead to a denial of service."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-03T20:07:01.203Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/issue/58003"
},
{
"url": "https://go.dev/cl/468195"
},
{
"url": "https://groups.google.com/g/golang-announce/c/ag-FiyjlD5o"
},
{
"url": "https://pkg.go.dev/vuln/GO-2023-1572"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KO54NBDUJXKAZNGCFOEYL2LKK2RQP6K6/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWH6Q7NVM4MV3GWFEU4PA67AWZHVFJQ2/"
},
{
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XZTEP6JYILRBNDTNWTEQ5D4QUUVQBESK/"
}
],
"title": "Denial of service via crafted TIFF image in golang.org/x/image/tiff"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2022-41727",
"datePublished": "2023-02-28T17:19:47.090Z",
"dateReserved": "2022-09-28T17:03:42.049Z",
"dateUpdated": "2025-03-07T17:55:51.961Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}