Golang Org X Image Tiff
Monthly
Denial of service in the Go golang.org/x/image/tiff decoder allows remote attackers to crash any application that parses untrusted TIFF images. A maliciously crafted image with an out-of-bounds strip offset triggers a panic in the decoder, terminating the goroutine or process (CVSS 7.5, availability-only impact). There is no public exploit identified at time of analysis, and EPSS is low (0.17%, 7th percentile), indicating no observed mass exploitation, but the bug is trivially triggerable wherever the library decodes attacker-supplied images.
The TIFF decoder does not set a limit on the size of tiles in tiled images, permitting a malicious or corrupt image containing a very large tile to cause unbounded memory consumption.
Denial-of-service in the Go golang.org/x/image/tiff package (versions before 0.41.0) allows remote attackers to exhaust memory or CPU by submitting a small, maliciously-crafted TIFF image whose PackBits-compressed stream decodes to disproportionately large output. Any Go service that parses untrusted TIFF input via this library is exposed; no public exploit identified at time of analysis and EPSS exploitation probability is very low (0.02%, 5th percentile).
Memory exhaustion in TIFF image processing allows unauthenticated remote attackers to trigger allocation of up to 4GiB of memory by submitting malicious image files, resulting in denial of service through resource depletion or application crashes. Affected systems lack available patches, leaving deployed instances vulnerable to this attack vector requiring only network access and no user interaction.
Denial of service in the Go golang.org/x/image/tiff decoder allows remote attackers to crash any application that parses untrusted TIFF images. A maliciously crafted image with an out-of-bounds strip offset triggers a panic in the decoder, terminating the goroutine or process (CVSS 7.5, availability-only impact). There is no public exploit identified at time of analysis, and EPSS is low (0.17%, 7th percentile), indicating no observed mass exploitation, but the bug is trivially triggerable wherever the library decodes attacker-supplied images.
The TIFF decoder does not set a limit on the size of tiles in tiled images, permitting a malicious or corrupt image containing a very large tile to cause unbounded memory consumption.
Denial-of-service in the Go golang.org/x/image/tiff package (versions before 0.41.0) allows remote attackers to exhaust memory or CPU by submitting a small, maliciously-crafted TIFF image whose PackBits-compressed stream decodes to disproportionately large output. Any Go service that parses untrusted TIFF input via this library is exposed; no public exploit identified at time of analysis and EPSS exploitation probability is very low (0.02%, 5th percentile).
Memory exhaustion in TIFF image processing allows unauthenticated remote attackers to trigger allocation of up to 4GiB of memory by submitting malicious image files, resulting in denial of service through resource depletion or application crashes. Affected systems lack available patches, leaving deployed instances vulnerable to this attack vector requiring only network access and no user interaction.