{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33809", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2026-03-23T20:35:32.813Z", "datePublished": "2026-03-25T18:24:04.222Z", "dateUpdated": "2026-04-06T21:12:56.092Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-04-06T21:12:56.092Z"}, "title": "OOM from malicious IFD offset in golang.org/x/image/tiff", "descriptions": [{"lang": "en", "value": "A maliciously crafted TIFF file can cause image decoding to attempt to allocate up 4GiB of memory, causing either excessive resource consumption or an out-of-memory error."}], "affected": [{"vendor": "golang.org/x/image", "product": "golang.org/x/image/tiff", "collectionURL": "https://pkg.go.dev", "packageName": "golang.org/x/image/tiff", "versions": [{"version": "0", "lessThan": "0.38.0", "status": "affected", "versionType": "semver"}], "programRoutines": [{"name": "buffer.fill"}, {"name": "buffer.ReadAt"}, {"name": "Decode"}, {"name": "DecodeConfig"}, {"name": "buffer.Slice"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption"}]}], "references": [{"url": "https://go.dev/cl/757660"}, {"url": "https://go.dev/issue/78267"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4815"}], "credits": [{"lang": "en", "value": "Andy Gill, ZephrSec Ltd"}]}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T20:05:32.763729Z", "id": "CVE-2026-33809", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:05:50.620Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-33809", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T20:05:32.763729Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:05:46.284Z"}}], "cna": {"title": "OOM from malicious IFD offset in golang.org/x/image/tiff", "credits": [{"lang": "en", "value": "Andy Gill, ZephrSec Ltd"}], "affected": [{"vendor": "golang.org/x/image", "product": "golang.org/x/image/tiff", "versions": [{"status": "affected", "version": "0", "lessThan": "0.38.0", "versionType": "semver"}], "packageName": "golang.org/x/image/tiff", "collectionURL": "https://pkg.go.dev", "defaultStatus": "unaffected", "programRoutines": [{"name": "buffer.fill"}, {"name": "buffer.ReadAt"}, {"name": "Decode"}, {"name": "DecodeConfig"}, {"name": "buffer.Slice"}]}], "references": [{"url": "https://go.dev/cl/757660"}, {"url": "https://go.dev/issue/78267"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4815"}], "descriptions": [{"lang": "en", "value": "A maliciously crafted TIFF file can cause image decoding to attempt to allocate up 4GiB of memory, causing either excessive resource consumption or an out-of-memory error."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-04-06T21:12:56.092Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33809", "state": "PUBLISHED", "dateUpdated": "2026-04-06T21:12:56.092Z", "dateReserved": "2026-03-23T20:35:32.813Z", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "datePublished": "2026-03-25T18:24:04.222Z", "assignerShortName": "Go"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:golang:tiff:*:*:*:*:*:go:*:*", "matchCriteriaId": "FBFB750C-D8BB-434B-A990-8EC3DDCA6CBE", "versionEndExcluding": "0.38.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A maliciously crafted TIFF file can cause image decoding to attempt to allocate up 4GiB of memory, causing either excessive resource consumption or an out-of-memory error."}, {"lang": "es", "value": "Un archivo TIFF creado maliciosamente puede provocar que la decodificaci\u00f3n de la imagen intente asignar hasta 4 GiB de memoria, causando un consumo excesivo de recursos o un error de falta de memoria."}], "id": "CVE-2026-33809", "lastModified": "2026-04-21T16:30:41.977", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T19:16:51.830", "references": [{"source": "security@golang.org", "tags": ["Mailing List"], "url": "https://go.dev/cl/757660"}, {"source": "security@golang.org", "tags": ["Issue Tracking"], "url": "https://go.dev/issue/78267"}, {"source": "security@golang.org", "tags": ["Vendor Advisory"], "url": "https://pkg.go.dev/vuln/GO-2026-4815"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "golang: golang.org/x/image/tiff: golang.org/x/image/tiff: Denial of Service via maliciously crafted TIFF file", "id": "2451437", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451437"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-1285", "details": ["A flaw was found in golang.org/x/image/tiff. A remote attacker could exploit this vulnerability by providing a maliciously crafted Tagged Image File Format (TIFF) file. This could cause the image decoding process to attempt to allocate up to 4 gigabytes (GiB) of memory. The excessive resource consumption or an out-of-memory error would lead to a Denial of Service (DoS) condition."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-33809", "package_state": [{"cpe": "cpe:/a:redhat:cryostat:4", "fix_state": "Fix deferred", "package_name": "cryostat/cryostat-storage-rhel9", "product_name": "Cryostat 4"}, {"cpe": "cpe:/a:redhat:logging:6", "fix_state": "Fix deferred", "package_name": "openshift-logging/cluster-logging-rhel9-operator", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Fix deferred", "package_name": "openshift-golang-builder-container", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:3", "fix_state": "Fix deferred", "package_name": "openshift-golang-builder-container", "product_name": "OpenShift Service Mesh 3"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "go-toolset:rhel8/golang", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "golang", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:3", "fix_state": "Fix deferred", "package_name": "golang", "product_name": "Red Hat Enterprise Linux AI (RHEL AI) 3"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift4/ose-tests-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "openshift-golang-builder-container", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Fix deferred", "package_name": "openshift-golang-builder-container", "product_name": "Red Hat OpenShift Virtualization 4"}], "public_date": "2026-03-25T18:24:04Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33809\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33809\nhttps://go.dev/cl/757660\nhttps://go.dev/issue/78267\nhttps://pkg.go.dev/vuln/GO-2026-4815"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.38.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "golang.org/x/image/tiff", "source": "cna", "vendor": "golang.org/x/image"}, "product": "image", "vendor": "golang"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.38.0)"}}], "original": {"product": "golang.org/x/image/tiff", "source": "cna", "vendor": "golang.org/x/image"}, "product": "tiff", "vendor": "golang"}], "analysis": {"en": {"generated_at": "2026-04-22T06:02:05.123364+00:00", "value": {"mitigation_remediation": ["Apply the latest release of golang.org/x/image that includes the fix for the TIFF decoder.", "If an upgrade cannot be performed immediately, restrict processing of TIFF files to trusted or verified sources, and validate file size before decoding.", "Run the image decoding components in a constrained environment (e.g., containers with memory limits) to limit the impact of an out\u2011of\u2011memory failure."], "summary": {"action": "Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in golang.org/x/image, specifically the golang.org/x/image/tiff package. Version information is not specified in the advisories, so any installation of this package that contains the buggy decoder may be affected.", "description_and_impact": "A maliciously crafted TIFF file can force the Go image/tiff decoder to try allocating up to 4\u202fGiB of memory, which may overwhelm the system or trigger an out\u2011of\u2011memory condition. The result is a denial of service by exhausting available resources.", "risk_and_exploitability": "With a CVSS score of 5.3 the severity is moderate. The EPSS score is less than 1% (approximately 0.00012), indicating a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The vulnerability is triggered by supplying a crafted TIFF file; therefore, the likely attack vector is through arbitrary file processing, either locally by users who can supply files or remotely if the application accepts uploads. Exploitation requires only the presence of a vulnerable decoder and a malicious file. Once triggered, the service can be brought down or degraded by exhausting memory resources."}}}}, "created": "2026-03-26T11:34:14.085750+00:00", "updated": "2026-04-22T06:15:10.422288+00:00", "vendors": ["golang", "golang$PRODUCT$image", "golang$PRODUCT$tiff"]}