Description
The TIFF decoder does not set a limit on the size of tiles in tiled images, permitting a malicious or corrupt image containing a very large tile to cause unbounded memory consumption.
Published: 2026-06-25
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The TIFF decoder does not enforce limits on tile sizes for tiled images, allowing a malicious or corrupt image to request an extremely large tile. This omission enables an attacker to trigger unbounded memory allocation, leading the decoder to consume progressively more RAM until the process or system exhausts memory, potentially causing denial of service.

Affected Systems

The vulnerability specifically affects projects that use the golang.org/x/image image library, particularly the x/image/tiff codec. No version details are listed in the advisory, so any releases prior to a future fix are potentially impacted.

Risk and Exploitability

With a CVSS score of 7.5 and an EPSS score of < 1%, the vulnerability is considered high severity but not widely exploited in the public domain, and it is not listed in the CISA KEV catalog. The impact of the flaw is high due to the potential for arbitrary memory consumption, but the likelihood of exploitation depends on the exposure of the TIFF decoding functionality within the target environment. The attack vector is inferred to be local or remote, depending on whether the service processes untrusted image data.

Generated by OpenCVE AI on June 26, 2026 at 19:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade golang.org/x/image to the latest available release when a fix is published
  • Add pre‑decode validation to reject images with tiles exceeding an application‑defined safe size
  • Implement sandboxing or resource limits for services that handle TIFF files to contain the memory impact
  • Restrict or filter incoming TIFF data to prevent malicious media from reaching the decoder

Generated by OpenCVE AI on June 26, 2026 at 19:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
CWE-789

Fri, 26 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
CWE-789

Fri, 26 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Golang
Golang image
Vendors & Products Golang
Golang image

Thu, 25 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
CWE-789

Thu, 25 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Description The TIFF decoder does not set a limit on the size of tiles in tiled images, permitting a malicious or corrupt image containing a very large tile to cause unbounded memory consumption.
Title Lack of limit on tile sizes in x/image/tiff in golang.org/x/image
References

Subscriptions

Golang Image
cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-06-26T16:07:00.792Z

Reserved: 2026-05-15T17:35:00.814Z

Link: CVE-2026-46602

cve-icon Vulnrichment

Updated: 2026-06-26T16:06:55.322Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T19:30:04Z

Weaknesses
  • CWE-770

    Allocation of Resources Without Limits or Throttling

  • CWE-789

    Memory Allocation with Excessive Size Value