CVE-2026-33809
Memory Exhaustion via Malicious TIFF in Go Image Decoder
Publication date: 2026-03-25
Last updated on: 2026-04-21
Assigner: Go Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| golang | tiff | to 0.38.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves a maliciously crafted TIFF file that causes the image decoding process to attempt to allocate up to 4GiB of memory.
This excessive memory allocation can lead to either excessive resource consumption or an out-of-memory error during image processing.
How can this vulnerability impact me? :
The impact of this vulnerability includes potential excessive consumption of system resources, which can degrade system performance.
It can also cause out-of-memory errors, potentially leading to application crashes or denial of service conditions.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of CVE-2026-33809 on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying if your Go applications are processing untrusted TIFF files using the golang.org/x/image/tiff package versions before v0.38.0.
Specifically, detection involves checking if TIFF files contain a maliciously crafted Image File Directory (IFD) offset set to 0xFFFFFFFF, which triggers excessive memory allocation.
To detect attempts to exploit this vulnerability on your system, you can monitor for abnormal memory usage or out-of-memory errors in Go applications that decode TIFF images.
While no direct commands are provided in the resources, you can use system monitoring tools such as:
- Linux: Use `top`, `htop`, or `ps` to monitor memory usage of Go processes.
- Check application logs for crashes or out-of-memory errors related to TIFF decoding.
- If you have access to the source code or binaries, verify the version of the golang.org/x/image/tiff package used to confirm if it is before v0.38.0.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the golang.org/x/image/tiff package to version v0.38.0 or later, where the vulnerability has been fixed.
This update changes the decoding process to allocate memory incrementally in chunks rather than based on untrusted offsets, preventing excessive memory allocation.
Additionally, avoid processing untrusted or unauthenticated TIFF files until the update is applied.
Monitor your applications for unusual memory consumption or crashes related to TIFF decoding as a temporary measure.