Description
Parsing a WEBP image with an invalid, large size panics on 32-bit platforms.
Published: 2026-04-21
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A WebP image decoder in golang.org/x/image/webp panics when parsing an image whose reported size field is invalid and excessively large. The failure to properly validate the size during decoding causes a panic on 32‑bit platforms, terminating the application. The resulting crash means an attacker can trigger a denial of service by supplying a crafted WebP file that exploits this unchecked size value.

Affected Systems

The description does not provide affected‑version details. Therefore, the vulnerability is understood to affect any release of golang.org/x/image/webp that is executed on 32‑bit operating systems. No specific version range is listed in the CVE data, so the scope cannot be narrowed further.

Risk and Exploitability

To trigger the issue, an attacker would need to supply a malicious WebP file with an oversized size field. On compatible 32‑bit systems, the decoder will panic and terminate the process. No public exploit is documented, and the EPSS score of < 1% indicates a very low probability of exploitation at this time. The CVSS score of 7.5 identifies moderate to high potential impact if the flaw were successfully leveraged, but the combination of low exploitation likelihood and lack of widespread CVE listings reduces the immediate threat for exposed services.

Generated by OpenCVE AI on May 13, 2026 at 19:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade golang.org/x/image/webp to a patched version.
  • Validate WebP images before decoding to reject oversized files.
  • Run the application on a 64‑bit platform or isolate 32‑bit execution to prevent the overflow from causing a crash.

Generated by OpenCVE AI on May 13, 2026 at 19:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 17:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-680

Wed, 13 May 2026 15:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:golang:image:*:*:*:*:*:go:*:*

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat hummingbird
Weaknesses CWE-190
CPEs cpe:/a:redhat:hummingbird:1
Vendors & Products Redhat
Redhat hummingbird
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Golang
Golang image
Vendors & Products Golang
Golang image

Wed, 22 Apr 2026 05:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-680

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Parsing a WEBP image with an invalid, large size panics on 32-bit platforms.
Title Panic when decoding large WEBP image on 32-bit platforms in golang.org/x/image
References

Subscriptions

Golang Image
Redhat Hummingbird
cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-04-22T15:34:46.427Z

Reserved: 2026-03-23T20:35:32.814Z

Link: CVE-2026-33813

cve-icon Vulnrichment

Updated: 2026-04-22T15:23:59.710Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T20:16:56.387

Modified: 2026-05-13T15:51:00.160

Link: CVE-2026-33813

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-21T19:21:27Z

Links: CVE-2026-33813 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T19:30:03Z

Weaknesses