CVE-2026-33813
Panic Vulnerability in Go WEBP Parser on 32-bit Platforms
Publication date: 2026-04-21
Last updated on: 2026-04-22
Assigner: Go Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| golang | go | to 0.39.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33813 is a vulnerability in the Go programming language's x/image/webp package affecting versions prior to v0.39.0. It occurs when parsing a WEBP image that contains an invalid, excessively large size on 32-bit platforms.
The decoding functions Decode and DecodeConfig do not properly handle large image sizes, which leads to a runtime panic (crash) due to improper size checks. Specifically, the decoder fails to reject images whose canvas size exceeds the maximum allowed by the WebP VP8X header specification, causing corrupt image objects and subsequent panics when accessed.
How can this vulnerability impact me? :
This vulnerability can cause applications using the vulnerable Go package on 32-bit platforms to crash unexpectedly when processing specially crafted WEBP images with invalid large sizes.
Such runtime panics can lead to denial of service conditions, where the application becomes unavailable or unstable due to the inability to handle these malformed images safely.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs when parsing a WEBP image with an invalid, excessively large size on 32-bit platforms, causing a panic in the Go x/image/webp package versions prior to v0.39.0.
To detect this vulnerability on your system, you can test decoding WEBP images with large or malformed canvas sizes using the vulnerable Go package functions `Decode` or `DecodeConfig` on a 32-bit platform.
There are no specific network detection commands provided, but you can attempt to decode suspicious or untrusted WEBP images using a Go program that imports "golang.org/x/image/webp" and calls these functions, observing if a panic occurs.
Example Go code snippet to test decoding (run on a 32-bit system):
- Import the package: `import "golang.org/x/image/webp"`
- Use `webp.Decode` or `webp.DecodeConfig` on a WEBP image file suspected to have a large or invalid size.
- Observe if the decoding causes a panic or runtime error, indicating the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade the Go package "golang.org/x/image/webp" to version v0.39.0 or later, where the issue has been fixed by adding proper checks to reject WEBP images with canvas sizes exceeding the allowed maximum.
If upgrading is not immediately possible, avoid processing untrusted or malformed WEBP images on 32-bit platforms to prevent runtime panics.
Additionally, implement input validation to ensure that WEBP images conform to the canvas size limits defined by the WebP VP8X header specification (canvas size must not exceed 2^32-1 pixels).
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.