CVE-2026-42500
Panic in Go's image/png Package from Invalid Palette Index
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: Go Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| golang | golang | to 0.41.0 (exc) |
| golang | x_image_bmp | * |
| golang | x_image_tiff | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-42500 is a vulnerability in the Go programming language's x/image/bmp package where decoding a paletted BMP file with an out-of-range palette index causes a panic. This happens because the decoder tries to access pixels using an invalid palette index, which leads to a runtime panic instead of handling the error gracefully.
The issue was fixed by changing the decoder to return an error when encountering such invalid palette indices, preventing the panic and improving the robustness of BMP file handling.
How can this vulnerability impact me? :
This vulnerability can cause applications using the affected Go package to crash unexpectedly when processing malformed BMP images with out-of-range palette indices. Such crashes can lead to denial of service conditions if an attacker supplies specially crafted BMP files.
While the vulnerability does not lead to information disclosure or code execution, the availability impact (application panic) can disrupt services or user experience.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs when decoding a paletted BMP file with an out-of-range palette index using the golang.org/x/image/bmp package before version 0.41.0, which causes a panic.
To detect this vulnerability on your system, you can check the version of the x/image/bmp package used in your Go environment or application.
- Run `go list -m all | grep golang.org/x/image/bmp` to identify the version of the bmp package in your project.
- If you have access to the source code or binaries, verify if the package version is earlier than v0.41.0.
Additionally, you can test decoding BMP files with potentially malformed palette indices to see if the decoder panics, indicating the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the golang.org/x/image/bmp package to version v0.41.0 or later, where the vulnerability has been fixed.
The fix changes the decoder behavior to return an error instead of panicking when encountering out-of-range palette indices, preventing crashes.
If upgrading immediately is not possible, consider validating or sanitizing BMP files before decoding to avoid processing malformed images.