Description
Parsing a WEBP image with an invalid, large size panics on 32-bit platforms.
Published: 2026-04-21
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

A WebP image decoder in golang.org/x/image/webp panics when parsing an image with an invalid, very large size on 32‑bit platforms. The panic occurs due to improper handling of the size value during parsing, causing the application to terminate. This failure to validate input leads to a denial of service because the application crashes when encountering the malformed image.

Affected Systems

All versions of the golang.org/x/image/webp package used in Go applications on 32‑bit operating systems are affected. The vulnerability is tied to the WebP decoding code and is present until the library is updated with the fix described in the referenced Go issue.

Risk and Exploitability

The exploit requires an attacker to supply a crafted WebP file with an oversized size field. On 32‑bit systems, the decoder will panic and terminate the process. No public exploit is listed and the EPSS score is not available, but the impact is a local or remote denial of service if the application accepts external images. The vulnerability is not listed in the CISA KEV catalog. Attackers can trigger the issue from any environment that feeds WebP data to the decoder, making the risk moderate to high for exposed services.

Generated by OpenCVE AI on April 22, 2026 at 05:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade golang.org/x/image/webp to a patched version.
  • Validate WebP images before decoding to reject oversized files.
  • Run the application on a 64‑bit platform or isolate 32‑bit execution to prevent the overflow from causing a crash.

Generated by OpenCVE AI on April 22, 2026 at 05:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Golang
Golang image
Vendors & Products Golang
Golang image

Wed, 22 Apr 2026 05:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-680

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Parsing a WEBP image with an invalid, large size panics on 32-bit platforms.
Title Panic when decoding large WEBP image on 32-bit platforms in golang.org/x/image
References

Subscriptions

Golang Image
cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-04-22T15:34:46.427Z

Reserved: 2026-03-23T20:35:32.814Z

Link: CVE-2026-33813

cve-icon Vulnrichment

Updated: 2026-04-22T15:23:59.710Z

cve-icon NVD

Status : Received

Published: 2026-04-21T20:16:56.387

Modified: 2026-04-22T16:16:53.840

Link: CVE-2026-33813

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:45:35Z

Weaknesses