Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from Vendor (Go).
CVSS VectorVendor: Go
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
7DescriptionCVE.org
Parsing a WEBP image with an invalid, large size panics on 32-bit platforms.
AnalysisAI
Denial of service in Go's x/image/webp library allows remote attackers to crash 32-bit applications by sending specially crafted WEBP images with invalid large size values, triggering runtime panic. Vendor patch released (version 0.39.0) with low EPSS score (0.02%) indicating minimal observed exploitation activity. Despite network vector and no authentication requirements (CVSS AV:N/PR:N), exploitation is platform-specific to 32-bit architectures only.
Technical ContextAI
The Go x/image/webp library provides WEBP image format parsing capabilities for Go applications. This vulnerability affects the image dimension validation logic on 32-bit platforms (386, ARM, MIPS architectures) where integer overflow or bounds checking fails when processing size metadata in WEBP headers. On 32-bit systems, Go's runtime panic mechanism is triggered when the parser encounters dimensions exceeding safe memory allocation thresholds. The affected component is golang.org/x/image/webp prior to version 0.39.0, an extended Go library outside the standard library but widely used for image processing in Go applications, web servers, API endpoints, and batch processing pipelines handling user-uploaded images.
RemediationAI
Upgrade golang.org/x/image/webp to version 0.39.0 or later, which contains the fix for invalid size handling on 32-bit platforms (patch details at https://go.dev/cl/759860). Recompile all affected Go applications with the updated dependency and redeploy to production systems. For environments unable to immediately patch, implement input validation to reject WEBP images with suspicious dimension metadata before passing to the parser - specifically reject images claiming dimensions exceeding reasonable thresholds like 65535x65535 pixels, though this workaround may block legitimate large images and does not address root cause. Additional compensating control: restrict WEBP upload functionality to authenticated users only, reducing attack surface from anonymous internet sources (note this reduces but does not eliminate risk). Long-term mitigation: migrate 32-bit deployments to 64-bit architectures where the vulnerability does not occur, eliminating the platform-specific integer handling issue entirely.
More in Golang Org X Image Webp
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24247