Skip to main content

Go x/image EUVDEUVD-2026-33419

| CVE-2026-42500 MEDIUM
2026-05-29 Go GHSA-m6fh-wvw4-4629
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

4
Analysis Generated
May 29, 2026 - 21:52 vuln.today
Patch available
May 29, 2026 - 21:02 EUVD
CVSS changed
May 29, 2026 - 20:22 NVD
5.3 (MEDIUM)
CVE Published
May 29, 2026 - 18:36 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Decoding a paletted BMP file with an out-of-range palette index results in a panic when accessing pixels in the invalid image.

AnalysisAI

Panic-induced denial of service in the golang.org/x/image/bmp decoder allows remote unauthenticated attackers to crash any Go application that processes untrusted BMP files. When a paletted BMP containing an out-of-range palette index is decoded, the image package accesses invalid memory and triggers a Go runtime panic, terminating the affected goroutine or process. No public exploit exists at time of analysis, but the attack is automatable per SSVC and requires no privileges or user interaction (CVSS AV:N/AC:L/PR:N/UI:N), making any internet-exposed BMP processing endpoint an accessible target.

Technical ContextAI

The affected component is the BMP image decoder in the golang.org/x/image/bmp package (CPE: cpe:2.3:a:golang.org/x/image:golang.org/x/image/bmp:*:*:*:*:*:*:*:*), part of Go's extended imaging library maintained under the golang.org/x namespace. BMP files using indexed color modes contain a palette (a lookup table of colors) and per-pixel indices referencing entries in that palette. The vulnerability arises because the decoder fails to validate whether a pixel's palette index falls within the bounds of the defined palette before dereferencing it. In Go, an out-of-bounds slice or array access causes a runtime panic rather than undefined behavior as in C/C++, resulting in a hard crash of the decoding goroutine. No CWE was assigned in the NVD record; the root cause is consistent with CWE-125 (Out-of-bounds Read) or CWE-129 (Improper Validation of Array Index). The issue is tracked upstream at go.dev/issue/79576 and the fix was submitted via code review at go.dev/cl/781500.

RemediationAI

Upgrade golang.org/x/image to version 0.41.0 or later, which contains the upstream fix (go.dev/cl/781500). Run 'go get golang.org/x/image@v0.41.0' and rebuild affected binaries, then redeploy. Confirm the fix is in place by checking 'go list -m golang.org/x/image' against the running binary's module graph. If an immediate upgrade is not possible, the primary compensating control is to reject BMP file uploads or processing requests at the application boundary before they reach the decoder - for example, by enforcing a strict MIME type allowlist and rejecting 'image/bmp' or files with a BMP magic header (0x42 0x4D). This eliminates the attack surface entirely at the cost of losing BMP support. Sandboxing image decoding in a separate process with restricted privileges (e.g., via seccomp or a subprocess with a panic-recovery wrapper) can limit blast radius if BMP support must be retained. No additional server-level firewall rules meaningfully mitigate this, as the vulnerability is triggered by file content rather than a specific port or protocol.

Vendor StatusVendor

SUSE

Product Status
openSUSE Tumbleweed Fixed

Share

EUVD-2026-33419 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy