Description
The TIFF decoder can panic when decoding an invalid image with an out-of-bounds strip offset.
Published: 2026-06-26
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the TIFF decoder of golang.org/x/image/tiff, where an invalid image containing an out‑of‑bounds strip offset triggers a panic, causing the host process to terminate. This results in a denial‑of‑service condition for the affected application; the attacker can supply such a crafted image to forcibly crash the program. The weakness is an out‑of‑bounds array index that leads to an unrecoverable panic rather than a controlled error.

Affected Systems

The vulnerability is present in the golang.org/x/image/tiff package of the Go language image library. No specific version range is supplied in the CNA data, so any installation of this package that has not incorporated a fix remains at risk.

Risk and Exploitability

Exact exploitation likelihood cannot be determined due to a very low EPSS score (< 1%) and the available CVSS score of 7.5. The vulnerability has not yet been listed in the CISA KEV catalog. Based on the description, the likely attack vector is local or network input that causes the program to load a malicious TIFF file; a hosted service processing user‑supplied images would be the most susceptible scenario. If an attacker can direct the application to interpret a crafted TIFF, they can reliably crash it, leading to frequent service interruptions until a patch or mitigation is applied.

Generated by OpenCVE AI on June 29, 2026 at 17:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade golang.org/x/image/tiff to the latest version that contains the fix for the out‑of‑bounds strip offset condition.
  • When an update is unavailable, process TIFF images inside a recover block or equivalent try/catch mechanism to prevent a full application crash from a single malformed image.
  • Implement input validation or size checks on incoming TIFF files to ensure that any strip offset references fall within the bounds of the image data before invoking the decoder, thereby mitigating the panic path.

Generated by OpenCVE AI on June 29, 2026 at 17:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Golang
Golang image
Vendors & Products Golang
Golang image

Mon, 29 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787

Mon, 29 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-788

Mon, 29 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 26 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-788

Fri, 26 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description The TIFF decoder can panic when decoding an invalid image with an out-of-bounds strip offset.
Title Panic decoding image with out-of-bounds strip offset in x/image/tiff in golang.org/x/image
References

cve-icon MITRE

Status: PUBLISHED

Assigner: Go

Published:

Updated: 2026-06-29T13:20:23.731Z

Reserved: 2026-05-15T17:35:00.814Z

Link: CVE-2026-46604

cve-icon Vulnrichment

Updated: 2026-06-29T13:20:15.683Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T20:06:08Z

Weaknesses