Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
4DescriptionCVE.org
Decoding a paletted BMP file with an out-of-range palette index results in a panic when accessing pixels in the invalid image.
AnalysisAI
Panic-induced denial of service in the golang.org/x/image/bmp decoder allows remote unauthenticated attackers to crash any Go application that processes untrusted BMP files. When a paletted BMP containing an out-of-range palette index is decoded, the image package accesses invalid memory and triggers a Go runtime panic, terminating the affected goroutine or process. No public exploit exists at time of analysis, but the attack is automatable per SSVC and requires no privileges or user interaction (CVSS AV:N/AC:L/PR:N/UI:N), making any internet-exposed BMP processing endpoint an accessible target.
Technical ContextAI
The affected component is the BMP image decoder in the golang.org/x/image/bmp package (CPE: cpe:2.3:a:golang.org/x/image:golang.org/x/image/bmp:*:*:*:*:*:*:*:*), part of Go's extended imaging library maintained under the golang.org/x namespace. BMP files using indexed color modes contain a palette (a lookup table of colors) and per-pixel indices referencing entries in that palette. The vulnerability arises because the decoder fails to validate whether a pixel's palette index falls within the bounds of the defined palette before dereferencing it. In Go, an out-of-bounds slice or array access causes a runtime panic rather than undefined behavior as in C/C++, resulting in a hard crash of the decoding goroutine. No CWE was assigned in the NVD record; the root cause is consistent with CWE-125 (Out-of-bounds Read) or CWE-129 (Improper Validation of Array Index). The issue is tracked upstream at go.dev/issue/79576 and the fix was submitted via code review at go.dev/cl/781500.
RemediationAI
Upgrade golang.org/x/image to version 0.41.0 or later, which contains the upstream fix (go.dev/cl/781500). Run 'go get golang.org/x/image@v0.41.0' and rebuild affected binaries, then redeploy. Confirm the fix is in place by checking 'go list -m golang.org/x/image' against the running binary's module graph. If an immediate upgrade is not possible, the primary compensating control is to reject BMP file uploads or processing requests at the application boundary before they reach the decoder - for example, by enforcing a strict MIME type allowlist and rejecting 'image/bmp' or files with a BMP magic header (0x42 0x4D). This eliminates the attack surface entirely at the cost of losing BMP support. Sandboxing image decoding in a separate process with restricted privileges (e.g., via seccomp or a subprocess with a panic-recovery wrapper) can limit blast radius if BMP support must be retained. No additional server-level firewall rules meaningfully mitigate this, as the vulnerability is triggered by file content rather than a specific port or protocol.
Same technique Information Disclosure
View allVendor StatusVendor
SUSE
| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33419
GHSA-m6fh-wvw4-4629