CVE-2026-46599
TIFF Decoder PackBits Compression Denial of Service
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: Go Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| golang | go | to 0.41.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability affects the TIFF decoder in the Go programming language's x/image/tiff package. Specifically, the decoder does not impose a limit on the size of PackBits-compressed data. This means that a maliciously crafted TIFF image, which appears small in terms of pixel dimensions and encoded size, can exploit this flaw to cause the decoder to decompress and process a large amount of compressed data.
This lack of limitation can lead to excessive resource consumption such as high memory and CPU usage during the decoding process.
How can this vulnerability impact me? :
This vulnerability can impact you by causing excessive resource consumption when processing a maliciously crafted TIFF image. Even if the image file appears small, it can trigger the decoder to use large amounts of memory and CPU.
Such excessive resource usage could lead to performance degradation, denial of service, or crashes in applications that rely on the vulnerable TIFF decoder.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update the golang.org/x/image package to version v0.41.0 or later, where the TIFF decoder has been fixed to impose limits on the size of PackBits-compressed data.
This update prevents maliciously crafted TIFF images from causing excessive resource consumption during decompression.