Description
A maliciously crafted TIFF file can cause image decoding to attempt to allocate up 4GiB of memory, causing either excessive resource consumption or an out-of-memory error.
Published: 2026-03-25
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

A maliciously crafted TIFF file can force the Go image/tiff decoder to try allocating up to 4 GiB of memory, which may overwhelm the system or trigger an out‑of‑memory condition. The result is a denial of service by exhausting available resources.

Affected Systems

The vulnerability exists in golang.org/x/image, specifically the golang.org/x/image/tiff package. Version information is not specified in the advisories, so any installation of this package that contains the buggy decoder may be affected.

Risk and Exploitability

With a CVSS score of 5.3 the severity is moderate. The EPSS score is less than 1% (approximately 0.00012), indicating a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The vulnerability is triggered by supplying a crafted TIFF file; therefore, the likely attack vector is through arbitrary file processing, either locally by users who can supply files or remotely if the application accepts uploads. Exploitation requires only the presence of a vulnerable decoder and a malicious file. Once triggered, the service can be brought down or degraded by exhausting memory resources.

Generated by OpenCVE AI on April 22, 2026 at 06:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest release of golang.org/x/image that includes the fix for the TIFF decoder.
  • If an upgrade cannot be performed immediately, restrict processing of TIFF files to trusted or verified sources, and validate file size before decoding.
  • Run the image decoding components in a constrained environment (e.g., containers with memory limits) to limit the impact of an out‑of‑memory failure.

Generated by OpenCVE AI on April 22, 2026 at 06:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-44p7-9xx4-hf2g Go Images vulnerable to an out-of-memory error via a crafted TIFF file
History

Tue, 21 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-434
CPEs cpe:2.3:a:golang:tiff:*:*:*:*:*:go:*:*

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Golang
Golang image
Golang tiff
Vendors & Products Golang
Golang image
Golang tiff

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1285
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 25 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description A maliciously crafted TIFF file can cause image decoding to attempt to allocate up 4GiB of memory, causing either excessive resource consumption or an out-of-memory error.
Title OOM from malicious IFD offset in golang.org/x/image/tiff
References

Subscriptions

Golang Image Tiff
cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-04-06T21:12:56.092Z

Reserved: 2026-03-23T20:35:32.813Z

Link: CVE-2026-33809

cve-icon Vulnrichment

Updated: 2026-03-25T20:05:46.284Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T19:16:51.830

Modified: 2026-04-21T16:30:41.977

Link: CVE-2026-33809

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-25T18:24:04Z

Links: CVE-2026-33809 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T06:15:10Z

Weaknesses