Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Untrusted TIFF input is parsed without auth or interaction (AV:N/AC:L/PR:N/UI:N); a panic crashes the process so A:H, with no confidentiality or integrity impact.
Primary rating from Vendor (Go).
CVSS VectorVendor: Go
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
The TIFF decoder can panic when decoding an invalid image with an out-of-bounds strip offset.
AnalysisAI
Denial of service in the Go golang.org/x/image/tiff decoder allows remote attackers to crash any application that parses untrusted TIFF images. A maliciously crafted image with an out-of-bounds strip offset triggers a panic in the decoder, terminating the goroutine or process (CVSS 7.5, availability-only impact). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires only that the target application actually decode attacker-supplied TIFF data using golang.org/x/image/tiff at a version below 0.43.0 - i.e. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are internally consistent and point to a real but bounded risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker uploads a specially crafted TIFF file to an application that processes images server-side (thumbnailing, avatar processing, document ingestion) using golang.org/x/image/tiff below 0.43.0. The malformed strip offset causes the decoder to panic during parsing, crashing the handling goroutine or the whole service and producing a denial of service. … |
| Remediation | Vendor-released patch: golang.org/x/image 0.43.0 - upgrade the dependency to 0.43.0 or later (e.g. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit applications and services using golang.org/x/image/tiff decoder; identify those processing untrusted image sources. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Golang Org X Image Tiff
View allThe TIFF decoder does not set a limit on the size of tiles in tiled images, permitting a malicious or corrupt image cont
Denial-of-service in the Go golang.org/x/image/tiff package (versions before 0.41.0) allows remote attackers to exhaust
Memory exhaustion in TIFF image processing allows unauthenticated remote attackers to trigger allocation of up to 4GiB o
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39909