[security] Vulnerabilities in golang.org/x/image

39 views

Skip to first unread message

anno...@golang.org

unread,

May 21, 2026, 7:27:34 PM (22 hours ago) May 21

to golan...@googlegroups.com

Hello gophers,

We have tagged version v0.41.0 of golang.org/x/image in order to address the following security issues:

x/image/bmp: panic when reading out of bound palette index

Decoding a paletted BMP file with an out-of-range palette index
would result in a panic when accessing pixels in the invalid image.
Decoding now correctly returns an error in this case.

This is CVE-2026-42500 and Go issue https://go.dev/issue/79576.

x/image/tiff: excessive resource consumption in PackBits decompression

The TIFF decoder did not place a limit on the size of PackBits-compressed data.
A maliciously-crafted image could exploit this to cause a small image (both in
terms of pixel width/height and encoded size) to make the decoder decode large
amounts of compressed data. The decoder now limits the amount of PackBits-compressed
data it will decompress.

Thanks to Uuganbayar Lkhamsuren for reporting this issue.

This is CVE-2026-33809 and Go issue https://go.dev/issue/79577.

Cheers,
Go Security team

Reply all

Reply to author

Forward

0 new messages