Skip to main content

golang.org/x/image EUVDEUVD-2026-33432

| CVE-2026-46599 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-05-29 Go GHSA-q675-qj96-32m9
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 01, 2026 - 17:30 vuln.today
CVSS changed
Jun 01, 2026 - 15:22 NVD
7.5 (HIGH)
Patch available
May 29, 2026 - 21:02 EUVD
CVE Published
May 29, 2026 - 19:35 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

The TIFF decoder does not place a limit on the size of PackBits-compressed data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height and encoded size) to make the decoder decode large amounts of compressed data.

AnalysisAI

Denial-of-service in the Go golang.org/x/image/tiff package (versions before 0.41.0) allows remote attackers to exhaust memory or CPU by submitting a small, maliciously-crafted TIFF image whose PackBits-compressed stream decodes to disproportionately large output. Any Go service that parses untrusted TIFF input via this library is exposed; no public exploit identified at time of analysis and EPSS exploitation probability is very low (0.02%, 5th percentile).

Technical ContextAI

The affected component is the TIFF decoder shipped in the Go supplementary imaging library (CPE cpe:2.3:a:golang.org/x/image:golang.org/x/image/tiff). PackBits is a simple run-length encoding scheme defined in the TIFF specification where short control bytes can expand into long output runs, creating a natural amplification primitive. The root cause maps to CWE-770 (Allocation of Resources Without Limits or Throttling): the decoder honors the encoded run counts and allocates/decodes the resulting output without bounding it against the declared image dimensions or a hard ceiling, so a tiny on-disk file with small width/height can still drive the decoder to process huge volumes of compressed data.

RemediationAI

Upgrade the golang.org/x/image dependency to v0.41.0 or later (Vendor-released patch: 0.41.0); run 'go get golang.org/x/image@v0.41.0' followed by 'go mod tidy' and rebuild, and use 'govulncheck ./...' to confirm GO-2026-5032 is no longer reported. Validate the fix against the upstream advisory at https://pkg.go.dev/vuln/GO-2026-5032 and the announcement at https://groups.google.com/g/golang-announce/c/uhYX90BlBvI. Where an immediate upgrade is not possible, compensating controls include rejecting TIFF uploads at the application boundary (content-type and magic-byte allowlists), enforcing a strict maximum request/body size on endpoints that accept images (trade-off: legitimate large uploads are blocked), running TIFF decoding in a subprocess or sandbox with hard memory and CPU limits (e.g., cgroups, GOMEMLIMIT) so a bomb crashes only the worker rather than the parent (trade-off: added operational complexity and per-request overhead), and pre-validating declared image dimensions and on-disk size ratios before invoking the decoder (trade-off: may still be bypassed because the bug is precisely that a small declared size can decode to large data).

Share

EUVD-2026-33432 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy