CVE-2026-33812
Excessive Memory Allocation in Go Font Parsing Vulnerability
Publication date: 2026-04-21
Last updated on: 2026-04-21
Assigner: Go Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| golang | golang_x_image_font_sfnt | to 0.39.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can cause a denial of service by exhausting system memory when a malicious font file is parsed.
An attacker could exploit this by providing a crafted font file that triggers excessive memory allocation, leading to out-of-memory conditions and termination of the affected process.
This can disrupt services or applications that rely on the vulnerable Go package for font parsing, potentially causing crashes or degraded performance.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from parsing malicious font files that cause excessive memory allocation in the Go package golang.org/x/image/font/sfnt. Detection would involve monitoring for processes consuming unusually high memory or crashing due to out-of-memory conditions when handling font files.
There are no specific commands provided in the available resources to detect this vulnerability directly on a network or system.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability was fixed in version v0.39.0 of the golang.org/x/image/font/sfnt package. Immediate mitigation involves upgrading to version v0.39.0 or later to ensure the vulnerability is patched.
Additionally, avoid processing untrusted or malicious font files until the update is applied, as the vulnerability can cause excessive memory allocation and potential denial of service.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-33812 is a vulnerability in the Go package golang.org/x/image/font/sfnt that occurs when parsing a malicious font file.
Specifically, the vulnerability arises from improper validation of certain values read from the font file, which are used to allocate memory without proper checks.
This can lead to excessive memory allocation requests, potentially causing the program to run out of memory and crash.
The issue affects multiple functions involved in parsing font data, including those handling glyph positioning and kerning.
The root cause is the lack of validation on the product of two uint16 values read from the font file, which can lead to very large memory allocations.