Skip to main content

Go x/image CVE-2026-46604

| EUVDEUVD-2026-39909 HIGH
Out-of-bounds Write (CWE-787)
2026-06-26 Go
7.5
CVSS 3.1 · Vendor: Go
Share

Severity by source

Vendor (Go) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Untrusted TIFF input is parsed without auth or interaction (AV:N/AC:L/PR:N/UI:N); a panic crashes the process so A:H, with no confidentiality or integrity impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Go).

CVSS VectorVendor: Go

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 29, 2026 - 14:25 vuln.today
CVSS changed
Jun 29, 2026 - 14:22 NVD
7.5 (HIGH)
Patch available
Jun 26, 2026 - 22:02 EUVD
CVE Published
Jun 26, 2026 - 20:22 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

The TIFF decoder can panic when decoding an invalid image with an out-of-bounds strip offset.

AnalysisAI

Denial of service in the Go golang.org/x/image/tiff decoder allows remote attackers to crash any application that parses untrusted TIFF images. A maliciously crafted image with an out-of-bounds strip offset triggers a panic in the decoder, terminating the goroutine or process (CVSS 7.5, availability-only impact). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft TIFF with out-of-bounds strip offset
Delivery
Submit image to decode endpoint
Exploit
x/image/tiff reads invalid strip offset
Execution
Out-of-bounds access triggers Go panic
Impact
Goroutine/process crashes (denial of service)

Vulnerability AssessmentAI

Exploitation Exploitation requires only that the target application actually decode attacker-supplied TIFF data using golang.org/x/image/tiff at a version below 0.43.0 - i.e. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are internally consistent and point to a real but bounded risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker uploads a specially crafted TIFF file to an application that processes images server-side (thumbnailing, avatar processing, document ingestion) using golang.org/x/image/tiff below 0.43.0. The malformed strip offset causes the decoder to panic during parsing, crashing the handling goroutine or the whole service and producing a denial of service. …
Remediation Vendor-released patch: golang.org/x/image 0.43.0 - upgrade the dependency to 0.43.0 or later (e.g. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit applications and services using golang.org/x/image/tiff decoder; identify those processing untrusted image sources. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46604 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy