Golang Org X Image Webp
Monthly
The webp decoder can panic when processing a VP8 chunk with dimensions that do not match the canvas size.
Denial of service in Go's x/image/webp library allows remote attackers to crash 32-bit applications by sending specially crafted WEBP images with invalid large size values, triggering runtime panic. Vendor patch released (version 0.39.0) with low EPSS score (0.02%) indicating minimal observed exploitation activity. Despite network vector and no authentication requirements (CVSS AV:N/PR:N), exploitation is platform-specific to 32-bit architectures only.
The webp decoder can panic when processing a VP8 chunk with dimensions that do not match the canvas size.
Denial of service in Go's x/image/webp library allows remote attackers to crash 32-bit applications by sending specially crafted WEBP images with invalid large size values, triggering runtime panic. Vendor patch released (version 0.39.0) with low EPSS score (0.02%) indicating minimal observed exploitation activity. Despite network vector and no authentication requirements (CVSS AV:N/PR:N), exploitation is platform-specific to 32-bit architectures only.