CVE-2026-33813
Received Received - Intake
Panic Vulnerability in Go WEBP Parser on 32-bit Platforms

Publication date: 2026-04-21

Last updated on: 2026-04-22

Assigner: Go Project

Description
Parsing a WEBP image with an invalid, large size panics on 32-bit platforms.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-22
Generated
2026-06-16
AI Q&A
2026-04-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33813
EUVD
EUVD-2026-24247
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
golang go to 0.39.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33813 is a vulnerability in the Go programming language's x/image/webp package affecting versions prior to v0.39.0. It occurs when parsing a WEBP image that contains an invalid, excessively large size on 32-bit platforms.

The decoding functions Decode and DecodeConfig do not properly handle large image sizes, which leads to a runtime panic (crash) due to improper size checks. Specifically, the decoder fails to reject images whose canvas size exceeds the maximum allowed by the WebP VP8X header specification, causing corrupt image objects and subsequent panics when accessed.

Impact Analysis

This vulnerability can cause applications using the vulnerable Go package on 32-bit platforms to crash unexpectedly when processing specially crafted WEBP images with invalid large sizes.

Such runtime panics can lead to denial of service conditions, where the application becomes unavailable or unstable due to the inability to handle these malformed images safely.

Detection Guidance

This vulnerability occurs when parsing a WEBP image with an invalid, excessively large size on 32-bit platforms, causing a panic in the Go x/image/webp package versions prior to v0.39.0.

To detect this vulnerability on your system, you can test decoding WEBP images with large or malformed canvas sizes using the vulnerable Go package functions `Decode` or `DecodeConfig` on a 32-bit platform.

There are no specific network detection commands provided, but you can attempt to decode suspicious or untrusted WEBP images using a Go program that imports "golang.org/x/image/webp" and calls these functions, observing if a panic occurs.

Example Go code snippet to test decoding (run on a 32-bit system):

  • Import the package: `import "golang.org/x/image/webp"`
  • Use `webp.Decode` or `webp.DecodeConfig` on a WEBP image file suspected to have a large or invalid size.
  • Observe if the decoding causes a panic or runtime error, indicating the presence of the vulnerability.
Mitigation Strategies

To mitigate this vulnerability, you should upgrade the Go package "golang.org/x/image/webp" to version v0.39.0 or later, where the issue has been fixed by adding proper checks to reject WEBP images with canvas sizes exceeding the allowed maximum.

If upgrading is not immediately possible, avoid processing untrusted or malformed WEBP images on 32-bit platforms to prevent runtime panics.

Additionally, implement input validation to ensure that WEBP images conform to the canvas size limits defined by the WebP VP8X header specification (canvas size must not exceed 2^32-1 pixels).

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33813. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart