Description
Parsing a malicious font file can cause excessive memory allocation.
Published: 2026-04-21
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Parsing a malicious SFNT font file triggers an excessive memory allocation in the golang.org/x/image/font/sfnt package. The flaw can cause the process to consume large amounts of memory, potentially exhausting system resources and leading to a denial of service. The weakness is a form of uncontrolled memory allocation (CWE-770).

Affected Systems

The vulnerability affects any application that imports and uses the golang.org/x/image/font/sfnt package, including all versions of the golang.org/x/image library prior to a patch, regardless of the Go runtime version. No specific product versions are listed in the CNA data, so all unpatched instances are potentially impacted.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity. The EPSS score of < 1% (0.00013) shows a low probability that this flaw will be exploited. The flaw is not listed in CISA’s Known Exploited Vulnerabilities catalog, suggesting no publicly known exploits yet. The likely attack vector involves an attacker providing a specially crafted font file to an application that processes fonts; this is inferred because the vulnerability is triggered during font parsing.

Generated by OpenCVE AI on May 2, 2026 at 13:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check golang.org/x/image for updates or newer releases that address memory‑allocation issues
  • Validate or sanitize any font files before passing to the SFNT parser, rejecting files that exceed size thresholds
  • Configure Go runtime memory limits or use cgroups to constrain the memory available to the process so that a memory‑exhaustion attempt cannot crash the host

Generated by OpenCVE AI on May 2, 2026 at 13:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:golang:image:*:*:*:*:*:go:*:*

Sat, 02 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Golang
Golang image
Vendors & Products Golang
Golang image

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Parsing a malicious font file can cause excessive memory allocation.
Title Excessive memory allocation when decoding malicious SFNT in golang.org/x/image
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Golang Image
cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-04-21T20:43:11.915Z

Reserved: 2026-03-23T20:35:32.814Z

Link: CVE-2026-33812

cve-icon Vulnrichment

Updated: 2026-04-21T20:43:03.869Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T20:16:56.290

Modified: 2026-05-13T20:03:32.453

Link: CVE-2026-33812

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-21T19:21:28Z

Links: CVE-2026-33812 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T14:00:06Z

Weaknesses