A malformed BMP file can contain a palette index that exceeds the number of defined palette entries. When the golang.org/x/image/bmp package reads the pixel data, it unconditionally accesses the palette with the supplied index, causing an out‑of‑bounds read that triggers a panic. The panic terminates the decoding routine and, unless the host application recovers, results in the entire process exiting. This flaw represents an improper input validation weakness that leads to a denial of service rather than memory corruption or code execution. Based on the description, it is inferred that the attacker can exploit this by supplying a crafted BMP file containing an out-of-range palette index; the attack vector involves delivering such a file to the decoding routine.

The vulnerability is confined to the golang.org/x/image repository’s bmp package. No specific version numbers are listed in the CNA data, so any application that imports this package and parses BMP files may be susceptible until the issue is patched.

The CVSS score of 5.3 marks the flaw as moderate severity. Because no EPSS score is available, the likelihood of exploitation is unknown, but the attack path is straightforward: feeding a crafted BMP that includes an out‑of‑range palette index can force the application to panic. In services that accept external images, such as web servers or image processors, an attacker could repeatedly supply malformed BMPs to cause service outages, raising the risk to availability. The vulnerability is not listed in the CISA KEV catalog, indicating no publicly known exploitation to date.