Description
Parsing a malicious font file can cause excessive memory allocation.
Published: 2026-04-21
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via memory exhaustion
Action: Monitor
AI Analysis

Impact

Parsing a malicious SFNT font file triggers an excessive memory allocation in the golang.org/x/image/font/sfnt package. The flaw can cause the process to consume large amounts of memory, potentially exhausting system resources and leading to a denial of service. The weakness is a form of uncontrolled resource consumption (CWE-400).

Affected Systems

The vulnerability affects any application that imports and uses the golang.org/x/image/font/sfnt package, including all versions of the golang.org/x/image library prior to a patch, regardless of the Go runtime version. No specific product versions are listed in the CNA data, so all unpatched instances are potentially impacted.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity. EPSS information is not available, so the current exploitation probability cannot be quantified. The flaw is not listed in CISA’s Known Exploited Vulnerabilities catalog, suggesting no publicly known exploits yet. The likely attack vector involves an attacker providing a specially crafted font file to an application that processes fonts; this is inferred because the vulnerability is triggered during font parsing.

Generated by OpenCVE AI on April 22, 2026 at 05:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check golang.org/x/image for updates or newer releases that address memory‑allocation issues
  • Validate or sanitize any font files before passing to the SFNT parser, rejecting files that exceed size thresholds
  • Configure Go runtime memory limits or use cgroups to constrain the memory available to the process so that a memory‑exhaustion attempt cannot crash the host

Generated by OpenCVE AI on April 22, 2026 at 05:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Golang
Golang image
Vendors & Products Golang
Golang image

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Parsing a malicious font file can cause excessive memory allocation.
Title Excessive memory allocation when decoding malicious SFNT in golang.org/x/image
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Golang Image
cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-04-21T20:43:11.915Z

Reserved: 2026-03-23T20:35:32.814Z

Link: CVE-2026-33812

cve-icon Vulnrichment

Updated: 2026-04-21T20:43:03.869Z

cve-icon NVD

Status : Received

Published: 2026-04-21T20:16:56.290

Modified: 2026-04-21T21:16:29.843

Link: CVE-2026-33812

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:45:34Z

Weaknesses

No weakness.