Description
The webp decoder can panic when processing a VP8 chunk with dimensions that do not match the canvas size.
Published: 2026-06-25
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The golang.org/x/image/webp decoder can panic when it encounters a VP8 chunk whose declared dimensions do not match the overall canvas size. This panic results in an unhandled crash of the decoding process, leading for any application that processes such malicious .webp files. The vulnerability arises from improper input validation of the image data, a weakness that can be abused by supplying crafted files.

Affected Systems

The affected component is the golang.org/x/image/webp package from the Go x/image repository. No specific versions are listed in the CVE entry, thus any release that contains the vulnerable decoder before the fix is considered impacted. Applications that depend on this package for reading WebP images should verify their installed version against the vendor’s release notes.

Risk and Exploitability

The CVSS score of 7.5 indicates a significant impact if exploited, the EPSS score of <1% reflects a very low probability that the vulnerability will be actively exploited. The vulnerability is not listed in CISA’s KEV catalog, indicating no widespread exploitation has been reported yet. An attacker could trigger a crash by sending a specially crafted WebP image, but the vector requires the image to be processed by the vulnerable decoder.

Generated by OpenCVE AI on June 27, 2026 at 03:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update golang.org/x/image/webp to the latest released version that contains the decoder patch.
  • If an immediate update is not possible, isolate the decoding process in a sandboxed environment to contain any crashes.
  • Implement application-level validation that rejects or sanitizes WebP images whose VP8 chunk dimensions do not.
  • Consider disabling WebP support entirely or switching to a verified image library until the vendor releases an official fix.

Generated by OpenCVE AI on June 27, 2026 at 03:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 27 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Sat, 27 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1288
References
Metrics threat_severity

None

threat_severity

Moderate


Fri, 26 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Fri, 26 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Fri, 26 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Golang
Golang image
Vendors & Products Golang
Golang image

Thu, 25 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Thu, 25 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Description The webp decoder can panic when processing a VP8 chunk with dimensions that do not match the canvas size.
Title Panic on VP8 alpha channel size mismatch in x/image/webp in golang.org/x/image
References

cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-06-26T16:09:18.573Z

Reserved: 2026-05-15T17:35:00.814Z

Link: CVE-2026-46601

cve-icon Vulnrichment

Updated: 2026-06-26T16:09:13.233Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-25T19:47:21Z

Links: CVE-2026-46601 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-27T03:45:10Z

Weaknesses
  • CWE-1288

    Improper Validation of Consistency within Input