Golang Org X Image Bmp
Monthly
Panic-induced denial of service in the golang.org/x/image/bmp decoder allows remote unauthenticated attackers to crash any Go application that processes untrusted BMP files. When a paletted BMP containing an out-of-range palette index is decoded, the image package accesses invalid memory and triggers a Go runtime panic, terminating the affected goroutine or process. No public exploit exists at time of analysis, but the attack is automatable per SSVC and requires no privileges or user interaction (CVSS AV:N/AC:L/PR:N/UI:N), making any internet-exposed BMP processing endpoint an accessible target.
Panic-induced denial of service in the golang.org/x/image/bmp decoder allows remote unauthenticated attackers to crash any Go application that processes untrusted BMP files. When a paletted BMP containing an out-of-range palette index is decoded, the image package accesses invalid memory and triggers a Go runtime panic, terminating the affected goroutine or process. No public exploit exists at time of analysis, but the attack is automatable per SSVC and requires no privileges or user interaction (CVSS AV:N/AC:L/PR:N/UI:N), making any internet-exposed BMP processing endpoint an accessible target.