CVE-2026-33809 PUBLISHED

OOM from malicious IFD offset in golang.org/x/image/tiff

Assigner: Go
Reserved: 23.03.2026 Published: 25.03.2026 Updated: 25.03.2026

A maliciously crafted TIFF file can cause image decoding to attempt to allocate up 4GiB of memory, causing either excessive resource consumption or an out-of-memory error.

Product Status

Vendor	golang.org/x/image
Product	golang.org/x/image/tiff
Versions	Default: unaffected affected from 0 to 0.38.0 (excl.)

References

https://go.dev/cl/757660
https://go.dev/issue/78267
https://pkg.go.dev/vuln/GO-2026-4815

Problem Types

CWE-400: Uncontrolled Resource Consumption