Skip to main content

golang.org/x/image/webp CVE-2026-33813

| EUVDEUVD-2026-24247 HIGH
2026-04-21 Go
7.5
CVSS 3.1 · Vendor: Go
Share

Severity by source

Vendor (Go) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
6.5 MEDIUM
qualitative

Primary rating from Vendor (Go).

CVSS VectorVendor: Go

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Re-analysis Queued
Apr 22, 2026 - 21:37 vuln.today
cvss_changed
Analysis Generated
Apr 22, 2026 - 16:22 vuln.today
CVSS changed
Apr 22, 2026 - 16:22 NVD
7.5 (HIGH)
Patch released
Apr 21, 2026 - 20:30 nvd
Patch available
EUVD ID Assigned
Apr 21, 2026 - 20:00 euvd
EUVD-2026-24247
Analysis Generated
Apr 21, 2026 - 20:00 vuln.today
CVE Published
Apr 21, 2026 - 19:21 nvd
HIGH 7.5

DescriptionCVE.org

Parsing a WEBP image with an invalid, large size panics on 32-bit platforms.

AnalysisAI

Denial of service in Go's x/image/webp library allows remote attackers to crash 32-bit applications by sending specially crafted WEBP images with invalid large size values, triggering runtime panic. Vendor patch released (version 0.39.0) with low EPSS score (0.02%) indicating minimal observed exploitation activity. Despite network vector and no authentication requirements (CVSS AV:N/PR:N), exploitation is platform-specific to 32-bit architectures only.

Technical ContextAI

The Go x/image/webp library provides WEBP image format parsing capabilities for Go applications. This vulnerability affects the image dimension validation logic on 32-bit platforms (386, ARM, MIPS architectures) where integer overflow or bounds checking fails when processing size metadata in WEBP headers. On 32-bit systems, Go's runtime panic mechanism is triggered when the parser encounters dimensions exceeding safe memory allocation thresholds. The affected component is golang.org/x/image/webp prior to version 0.39.0, an extended Go library outside the standard library but widely used for image processing in Go applications, web servers, API endpoints, and batch processing pipelines handling user-uploaded images.

RemediationAI

Upgrade golang.org/x/image/webp to version 0.39.0 or later, which contains the fix for invalid size handling on 32-bit platforms (patch details at https://go.dev/cl/759860). Recompile all affected Go applications with the updated dependency and redeploy to production systems. For environments unable to immediately patch, implement input validation to reject WEBP images with suspicious dimension metadata before passing to the parser - specifically reject images claiming dimensions exceeding reasonable thresholds like 65535x65535 pixels, though this workaround may block legitimate large images and does not address root cause. Additional compensating control: restrict WEBP upload functionality to authenticated users only, reducing attack surface from anonymous internet sources (note this reduces but does not eliminate risk). Long-term mitigation: migrate 32-bit deployments to 64-bit architectures where the vulnerability does not occur, eliminating the platform-specific integer handling issue entirely.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-33813 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy