CVE-2026-33809

Description

A maliciously crafted TIFF file can cause image decoding to attempt to allocate up 4GiB of memory, causing either excessive resource consumption or an out-of-memory error.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Affected products

golang.org/x/image / golang.org/x/image/tiff0 – 0.38.0

References

MISChttps://go.dev/cl/757660
MISChttps://go.dev/issue/78267
MISChttps://pkg.go.dev/vuln/GO-2026-4815