CVE-2026-46601
Deferred Deferred - Pending Action

WebP Decoder Panic in Go Standard Library

Vulnerability report for CVE-2026-46601, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-06-26

Assigner: Go Project

Description

The webp decoder can panic when processing a VP8 chunk with dimensions that do not match the canvas size.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-06-26
Generated
2026-07-16
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-14
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
golang golang.org to v0.43.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability occurs in the webp decoder when it processes a VP8 chunk that has dimensions not matching the canvas size. This mismatch can cause the decoder to panic, which means it may crash or stop functioning unexpectedly.

Impact Analysis

The impact of this vulnerability is that the webp decoder may panic or crash when handling certain malformed VP8 chunks. This could lead to denial of service or application instability if an attacker supplies crafted images with mismatched dimensions.

Compliance Impact

There is no information provided in the available context or resources about how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability occurs when the webp decoder in Go's x/image/webp package processes a VP8 chunk with width and height dimensions that do not match the canvas size, potentially causing a panic.

To detect this vulnerability on your system, you can test decoding of WebP images that have mismatched VP8 chunk dimensions and canvas sizes, especially those containing ALPH chunks.

There are no specific commands provided in the resources, but you can write or use Go code that attempts to decode suspicious WebP images using the Decode or DecodeConfig functions from the golang.org/x/image/webp package before version v0.43.0 and observe if a panic occurs.

Mitigation Strategies

To mitigate this vulnerability, update the golang.org/x/image/webp package to version v0.43.0 or later, where the issue has been fixed.

Avoid processing untrusted WebP images with mismatched VP8 chunk dimensions and canvas sizes until the update is applied.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46601. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart