CVE-2026-46602
Deferred Deferred - Pending Action

TIFF Decoder Unbounded Memory Consumption via Large Tiles

Vulnerability report for CVE-2026-46602, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-06-26

Assigner: Go Project

Description

The TIFF decoder does not set a limit on the size of tiles in tiled images, permitting a malicious or corrupt image containing a very large tile to cause unbounded memory consumption.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-06-26
Generated
2026-07-16
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-14
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
golang golang.org to 0.43.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the TIFF image decoder, where it does not impose a limit on the size of tiles in tiled images. As a result, a malicious or corrupted TIFF image containing an extremely large tile can cause the decoder to consume an unbounded amount of memory.

Impact Analysis

The impact of this vulnerability is that processing a specially crafted TIFF image can lead to excessive memory consumption. This can cause the application or system handling the image to slow down, become unstable, or crash due to resource exhaustion.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves the TIFF decoder in the golang.org/x/image package not limiting tile sizes in tiled images, which can cause unbounded memory consumption when processing malicious or corrupt TIFF images.

Detection would involve monitoring for unusually high memory usage or crashes in applications using this TIFF decoder when processing TIFF images.

There are no specific commands provided in the available resources to detect this vulnerability directly on a network or system.

Mitigation Strategies

Immediate mitigation involves avoiding processing untrusted or potentially malicious TIFF images with the vulnerable golang.org/x/image/tiff package versions prior to v0.43.0.

Monitoring and limiting memory usage of applications that decode TIFF images can help reduce the risk of denial-of-service conditions.

Applying updates to the golang.org/x/image package to version v0.43.0 or later, where the vulnerability is fixed, is the recommended long-term mitigation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46602. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart