Description
The TIFF decoder does not place a limit on the size of PackBits-compressed data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height and encoded size) to make the decoder decode large amounts of compressed data.
Published: 2026-05-29
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The TIFF decoder in the Go image library does not impose a limit on the size of PackBits‑compressed data. A maliciously crafted TIFF image can force the decoder to expand a compact payload into a vastly larger in‑memory structure. This uncontrolled expansion can deplete memory, trigger crashes, or significantly degrade system performance, effectively denying service to legitimate users or applications that rely on image decoding.

Affected Systems

All deployments that use the golang.org/x/image package, specifically the tiff subpackage, are susceptible when they process externally supplied TIFF files. Any application or service incorporating this library without additional safeguards is at risk.

Risk and Exploitability

The vulnerability lacks a size limit for PackBits‑decoded data, allowing an attacker to provide a small‑looking TIFF file that expands to consume large amounts of memory during decompression. This can lead to memory exhaustion and application crashes or significant performance degradation. Based on the description, it is inferred that a remote attacker could exploit this by uploading or transmitting a crafted TIFF to a vulnerable process, as the decoder processes external image data without validation. While EPSS data is not available and the vulnerability is not listed in CISA KEV, the absence of bounds indicates a potentially high risk of resource exhaustion.

Generated by OpenCVE AI on May 29, 2026 at 22:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade golang.org/x/image to a version that enforces a maximum PackBits size or otherwise limits decompression expansion
  • Implement strict input validation to reject or reject large or suspicious TIFF files before decoding
  • Run image decoding in a sandboxed environment or apply system‑level resource limits to prevent memory exhaustion from compromising the host

Generated by OpenCVE AI on May 29, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 22:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400

Fri, 29 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description The TIFF decoder does not place a limit on the size of PackBits-compressed data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height and encoded size) to make the decoder decode large amounts of compressed data.
Title Excessive resource consumption in PackBits decompression in golang.org/x/image/tiff
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-05-29T19:35:33.539Z

Reserved: 2026-05-15T17:35:00.813Z

Link: CVE-2026-46599

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-29T20:16:28.280

Modified: 2026-05-29T20:16:28.280

Link: CVE-2026-46599

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T22:30:09Z

Weaknesses