Skip to main content

Golang Org X Image Tiff CVE-2026-33809

| EUVDEUVD-2026-15960 MEDIUM
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-03-25 Go
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
SUSE
MEDIUM
qualitative
Red Hat
6.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 18:47 euvd
EUVD-2026-15960
Analysis Generated
Mar 25, 2026 - 18:47 vuln.today
CVE Published
Mar 25, 2026 - 18:24 nvd
MEDIUM 5.3

DescriptionCVE.org

A maliciously crafted TIFF file can cause image decoding to attempt to allocate up 4GiB of memory, causing either excessive resource consumption or an out-of-memory error.

AnalysisAI

Memory exhaustion in TIFF image processing allows unauthenticated remote attackers to trigger allocation of up to 4GiB of memory by submitting malicious image files, resulting in denial of service through resource depletion or application crashes. Affected systems lack available patches, leaving deployed instances vulnerable to this attack vector requiring only network access and no user interaction.

Technical ContextAI

The vulnerability resides in Go's standard image/tiff decoding library, specifically in golang.org/x/image/tiff (referenced via CPE cpe:2.3:a:golang.org/x/image:golang.org/x/image/tiff:*:*:*:*:*:*:*:*). The root cause is insufficient validation of TIFF file headers and metadata before memory allocation, allowing an attacker to craft a specially formatted TIFF file that specifies impossibly large image dimensions or allocation parameters. This falls under the category of resource exhaustion vulnerabilities, related to improper input validation and lack of bounds checking. When the decoder attempts to allocate buffers for image data based on untrusted file metadata, it can request up to 4 GiB of memory without adequate sanity checks, leading to either memory exhaustion on systems with constrained resources or triggering the operating system's out-of-memory killer.

RemediationAI

Update golang.org/x/image to the patched version addressing Go issue 78267, specifically incorporating the fix from Go commit 757660 (https://go.dev/cl/757660). For applications using golang.org/x/image/tiff, run 'go get -u golang.org/x/image' to fetch the latest version with the memory allocation bounds checks in place. If immediate patching is not feasible, implement input validation and sanitization for TIFF files before passing them to the decoder, including verification of image dimensions and metadata against reasonable thresholds, and enforce resource limits (memory cgroups, process limits) on image processing services. Monitor the official Go security advisory at https://go.dev/issue/78267 for additional guidance or version-specific patch information.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.2 Fixed
SUSE Linux Enterprise Micro 5.3 Fixed
SUSE Linux Enterprise Micro 5.4 Fixed

Share

CVE-2026-33809 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy