The vulnerability lies in the TIFF decoder of golang.org/x/image/tiff, where an invalid image containing an out‑of‑bounds strip offset triggers a panic, causing the host process to terminate. This results in a denial‑of‑service condition for the affected application; the attacker can supply such a crafted image to forcibly crash the program. The weakness is an out‑of‑bounds array index that leads to an unrecoverable panic rather than a controlled error.

The vulnerability is present in the golang.org/x/image/tiff package of the Go language image library. No specific version range is supplied in the CNA data, so any installation of this package that has not incorporated a fix remains at risk.

Exact exploitation likelihood cannot be determined due to the lack of an EPSS score and absence of a CVSS assessment in the provided data. The vulnerability has not yet been listed in the CISA KEV catalog. Based on the description, the likely attack vector is local or network input that causes the program to load a malicious TIFF file; a hosted service processing user‑supplied images would be the most susceptible scenario. If an attacker can direct the application to interpret a crafted TIFF, they can reliably crash it, leading to frequent service interruptions until a patch or mitigation is applied.