CVE-2026-46602

Description

The TIFF decoder does not set a limit on the size of tiles in tiled images, permitting a malicious or corrupt image containing a very large tile to cause unbounded memory consumption.

Metadata

CVE ID: CVE-2026-46602
State: PUBLISHED
Assigner: Go
Reserved: 2026-05-15 17:35 UTC
Published: 2026-06-25 19:47 UTC
Last updated: 2026-06-25 19:47 UTC
Vendor / Product: golang.org/x/image / golang.org/x/image/tiff
Sources: cve.org · NVD

Severity & Metrics

No CVSS data available.

Affected products (1)

Vendor	Product	Platform	Versions
golang.org/x/image	golang.org/x/image/tiff	—	0 < 0.43.0

Weakness (CWE)

CWE	Source	Description
—	cna	CWE-789: Memory Allocation with Excessive Size Value

References (3)

https://go.dev/cl/788422
https://go.dev/issue/79905
https://pkg.go.dev/vuln/GO-2026-5062

Back to overview