CVE-2026-42500
Deferred Deferred - Pending Action
Panic in Go's image/png Package from Invalid Palette Index

Publication date: 2026-05-29

Last updated on: 2026-06-01

Assigner: Go Project

Description
Decoding a paletted BMP file with an out-of-range palette index results in a panic when accessing pixels in the invalid image.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-06-01
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-42500
EUVD
EUVD-2026-33419
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
golang golang to 0.41.0 (exc)
golang x_image_bmp *
golang x_image_tiff *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-42500 is a vulnerability in the Go programming language's x/image/bmp package where decoding a paletted BMP file with an out-of-range palette index causes a panic. This happens because the decoder tries to access pixels using an invalid palette index, which leads to a runtime panic instead of handling the error gracefully.

The issue was fixed by changing the decoder to return an error when encountering such invalid palette indices, preventing the panic and improving the robustness of BMP file handling.

Impact Analysis

This vulnerability can cause applications using the affected Go package to crash unexpectedly when processing malformed BMP images with out-of-range palette indices. Such crashes can lead to denial of service conditions if an attacker supplies specially crafted BMP files.

While the vulnerability does not lead to information disclosure or code execution, the availability impact (application panic) can disrupt services or user experience.

Detection Guidance

This vulnerability occurs when decoding a paletted BMP file with an out-of-range palette index using the golang.org/x/image/bmp package before version 0.41.0, which causes a panic.

To detect this vulnerability on your system, you can check the version of the x/image/bmp package used in your Go environment or application.

  • Run `go list -m all | grep golang.org/x/image/bmp` to identify the version of the bmp package in your project.
  • If you have access to the source code or binaries, verify if the package version is earlier than v0.41.0.

Additionally, you can test decoding BMP files with potentially malformed palette indices to see if the decoder panics, indicating the presence of the vulnerability.

Mitigation Strategies

The primary mitigation step is to upgrade the golang.org/x/image/bmp package to version v0.41.0 or later, where the vulnerability has been fixed.

The fix changes the decoder behavior to return an error instead of panicking when encountering out-of-range palette indices, preventing crashes.

If upgrading immediately is not possible, consider validating or sanitizing BMP files before decoding to avoid processing malformed images.

Compliance Impact

The provided information does not specify any direct impact of CVE-2026-42500 on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42500. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart