CVE-2026-33812
Received Received - Intake
Excessive Memory Allocation in Go Font Parsing Vulnerability

Publication date: 2026-04-21

Last updated on: 2026-04-21

Assigner: Go Project

Description
Parsing a malicious font file can cause excessive memory allocation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33812
EUVD
EUVD-2026-24245
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
golang golang_x_image_font_sfnt to 0.39.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

This vulnerability can cause a denial of service by exhausting system memory when a malicious font file is parsed.

An attacker could exploit this by providing a crafted font file that triggers excessive memory allocation, leading to out-of-memory conditions and termination of the affected process.

This can disrupt services or applications that rely on the vulnerable Go package for font parsing, potentially causing crashes or degraded performance.

Detection Guidance

This vulnerability arises from parsing malicious font files that cause excessive memory allocation in the Go package golang.org/x/image/font/sfnt. Detection would involve monitoring for processes consuming unusually high memory or crashing due to out-of-memory conditions when handling font files.

There are no specific commands provided in the available resources to detect this vulnerability directly on a network or system.

Mitigation Strategies

The vulnerability was fixed in version v0.39.0 of the golang.org/x/image/font/sfnt package. Immediate mitigation involves upgrading to version v0.39.0 or later to ensure the vulnerability is patched.

Additionally, avoid processing untrusted or malicious font files until the update is applied, as the vulnerability can cause excessive memory allocation and potential denial of service.

Executive Summary

CVE-2026-33812 is a vulnerability in the Go package golang.org/x/image/font/sfnt that occurs when parsing a malicious font file.

Specifically, the vulnerability arises from improper validation of certain values read from the font file, which are used to allocate memory without proper checks.

This can lead to excessive memory allocation requests, potentially causing the program to run out of memory and crash.

The issue affects multiple functions involved in parsing font data, including those handling glyph positioning and kerning.

The root cause is the lack of validation on the product of two uint16 values read from the font file, which can lead to very large memory allocations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33812. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart