CVE-2026-33809 — Improper Validation of Specified Index, Position, or Offset in Input in X Image Golang.org X Image Tiff

CWE-1285 — Improper Validation of Specified Index, Position, or Offset in Input CWE-770 — Allocation of Resources Without Limits or Throttling8 documents6 sources

Severity

5.3MEDIUMNVD

EPSS

0.0%

top 89.54%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Golang.org X Image Golang.org X Image Tiff Golang.org X Image Debian Golang-golang-x-image

Timeline

PublishedMar 25

Description

A maliciously crafted TIFF file can cause image decoding to attempt to allocate up 4GiB of memory, causing either excessive resource consumption or an out-of-memory error.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶CVEListV5golang.org/x_image_golang.org_x_image_tiff< 0.38.0

▶Gogolang.org/x_image< 0.38.0

▶debiandebian/golang-golang-x-image< golang-golang-x-image 0.38.0-1 (forky)

🔴Vulnerability Details

GHSA

Go Images vulnerable to an out-of-memory error via a crafted TIFF file↗2026-03-25

▶

OSV

OOM from malicious IFD offset in golang.org/x/image/tiff↗2026-03-25

▶

OSV

Go Images vulnerable to an out-of-memory error via a crafted TIFF file↗2026-03-25

▶

OSV

CVE-2026-33809: A maliciously crafted TIFF file can cause image decoding to attempt to allocate up 4GiB of memory, causing either excessive resource consumption or an↗2026-03-25

▶

📋Vendor Advisories

Red Hat

golang: golang.org/x/image/tiff: golang.org/x/image/tiff: Denial of Service via maliciously crafted TIFF file↗2026-03-25

▶

Debian

CVE-2026-33809: golang-golang-x-image - A maliciously crafted TIFF file can cause image decoding to attempt to allocate ...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-33809 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶