golang.org/x/image (Go) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Go package golang.org/x/image, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (12)
CVE-2026-46602 — CVSS 7.5 (high): The TIFF decoder does not set a limit on the size of tiles in tiled images, permitting a malicious or corrupt image containing a very large…
CVE-2026-46601 — CVSS 7.5 (high): The webp decoder can panic when processing a VP8 chunk with dimensions that do not match the canvas size.
CVE-2026-46599 — CVSS 7.5 (high): The TIFF decoder does not place a limit on the size of PackBits-compressed data. A maliciously-crafted image can exploit this to cause a…
CVE-2023-29407 — CVSS 6.5 (medium): A maliciously-crafted image can cause excessive CPU consumption in decoding. A tiled image with a height of 0 and a very large width can…
CVE-2023-29408 — CVSS 6.5 (medium): The TIFF decoder does not place a limit on the size of compressed tile data. A maliciously-crafted image can exploit this to cause a small…
CVE-2022-41727 — CVSS 5.5 (medium): An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This could lead…
CVE-2023-36308 — CVSS 5.5 (medium): disintegration Imaging 1.6.2 allows attackers to cause a panic (because of an integer index out of range during a Grayscale call) via a…
CVE-2026-42500 — CVSS 5.3 (medium): Decoding a paletted BMP file with an out-of-range palette index results in a panic when accessing pixels in the invalid image.
CVE-2026-33809 — CVSS 5.3 (medium): A maliciously crafted TIFF file can cause image decoding to attempt to allocate up 4GiB of memory, causing either excessive resource…