The golang.org/x/image/webp decoder can panic when it encounters a VP8 chunk whose declared dimensions do not match the overall canvas size. This panic results in an unhandled crash of the decoding process, leading to denial of service for any application that processes such malicious .webp files. The vulnerability arises from improper input validation of the image data, a weakness that can be abused by supplying crafted files.

The affected component is the golang.org/x/image/webp package from the Go x/image repository. No specific versions are listed in the CVE entry, thus any release that contains the vulnerable decoder before the fix is considered impacted. Applications that depend on this package for reading WebP images should verify their installed version against the vendor’s release notes.

No CVSS score is provided, and the EPSS metric is unavailable, but the nature of the vulnerability suggests a moderate to high risk in contexts where untrusted images are accepted. The vulnerability is not listed in CISA’s KEV catalog, indicating that no widespread exploitation has been reported yet. An attacker could trigger a crash by sending a specially crafted WebP image, but the vector requires the image to be processed by the vulnerable decoder.