CVE-2026-33809
Received Received - Intake
Memory Exhaustion via Malicious TIFF in Go Image Decoder

Publication date: 2026-03-25

Last updated on: 2026-04-21

Assigner: Go Project

Description
A maliciously crafted TIFF file can cause image decoding to attempt to allocate up 4GiB of memory, causing either excessive resource consumption or an out-of-memory error.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-03-25
EPSS Evaluated
2026-06-14
NVD
CVE-2026-33809
EUVD
EUVD-2026-15960
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
golang tiff to 0.38.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves a maliciously crafted TIFF file that causes the image decoding process to attempt to allocate up to 4GiB of memory.

This excessive memory allocation can lead to either excessive resource consumption or an out-of-memory error during image processing.

Impact Analysis

The impact of this vulnerability includes potential excessive consumption of system resources, which can degrade system performance.

It can also cause out-of-memory errors, potentially leading to application crashes or denial of service conditions.

Compliance Impact

The provided information does not specify any direct impact of CVE-2026-33809 on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability can be detected by identifying if your Go applications are processing untrusted TIFF files using the golang.org/x/image/tiff package versions before v0.38.0.

Specifically, detection involves checking if TIFF files contain a maliciously crafted Image File Directory (IFD) offset set to 0xFFFFFFFF, which triggers excessive memory allocation.

To detect attempts to exploit this vulnerability on your system, you can monitor for abnormal memory usage or out-of-memory errors in Go applications that decode TIFF images.

While no direct commands are provided in the resources, you can use system monitoring tools such as:

  • Linux: Use `top`, `htop`, or `ps` to monitor memory usage of Go processes.
  • Check application logs for crashes or out-of-memory errors related to TIFF decoding.
  • If you have access to the source code or binaries, verify the version of the golang.org/x/image/tiff package used to confirm if it is before v0.38.0.
Mitigation Strategies

The primary mitigation step is to upgrade the golang.org/x/image/tiff package to version v0.38.0 or later, where the vulnerability has been fixed.

This update changes the decoding process to allocate memory incrementally in chunks rather than based on untrusted offsets, preventing excessive memory allocation.

Additionally, avoid processing untrusted or unauthenticated TIFF files until the update is applied.

Monitor your applications for unusual memory consumption or crashes related to TIFF decoding as a temporary measure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33809. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart