Description
The TIFF decoder does not place a limit on the size of PackBits-compressed data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height and encoded size) to make the decoder decode large amounts of compressed data.
Published: 2026-05-29
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The TIFF decoder in the Go image library does not impose a limit on the size of PackBits‑compressed data. A maliciously crafted TIFF image can force the decoder to expand a compact payload into a vastly larger in‑memory structure. This uncontrolled expansion can deplete memory, trigger crashes, or significantly degrade system performance, effectively denying service to legitimate users or applications that rely on image decoding.

Affected Systems

All deployments that use the golang.org/x/image package, specifically the tiff subpackage, are susceptible when they process externally supplied TIFF files. Any application or service incorporating this library without additional safeguards is at risk.

Risk and Exploitability

The vulnerability lacks a size limit for PackBits‑decoded data, allowing an attacker to provide a small‑looking TIFF file that expands to consume large amounts of memory during decompression. This can lead to memory exhaustion and application crashes or significant performance degradation. The EPSS score is < 1% and the vulnerability is not listed in CISA KEV, but the absence of bounds indicates a potentially high risk of resource exhaustion. The CVSS score is 7.5.

Generated by OpenCVE AI on June 1, 2026 at 18:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade golang.org/x/image to a version that enforces a maximum PackBits size or otherwise limits decompression expansion
  • Implement strict input validation to reject or reject large or suspicious TIFF files before decoding
  • Run image decoding in a sandboxed environment or apply system‑level resource limits to prevent memory exhaustion from compromising the host

Generated by OpenCVE AI on June 1, 2026 at 18:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400

Mon, 01 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 30 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Golang
Golang image
Vendors & Products Golang
Golang image

Fri, 29 May 2026 22:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400

Fri, 29 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description The TIFF decoder does not place a limit on the size of PackBits-compressed data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height and encoded size) to make the decoder decode large amounts of compressed data.
Title Excessive resource consumption in PackBits decompression in golang.org/x/image/tiff
References

Subscriptions

Golang Image
cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-06-01T14:44:03.725Z

Reserved: 2026-05-15T17:35:00.813Z

Link: CVE-2026-46599

cve-icon Vulnrichment

Updated: 2026-06-01T14:43:29.816Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T20:16:28.280

Modified: 2026-06-01T18:16:02.273

Link: CVE-2026-46599

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T19:00:14Z

Weaknesses
  • CWE-770

    Allocation of Resources Without Limits or Throttling