Memory Allocation Vulnerability in Go Programming Language
CVE-2026-33812

6.1MEDIUM

Key Information:

Vendor: Golang.org/x/image
Status: Golang.org/x/image/font/sfnt
Vendor: CVE Published:; 21 April 2026

🔔 Create Golang.org/x/image Vulnerability Alert

What is CVE-2026-33812?

A vulnerability in the Go programming language allows an attacker to exploit how malicious font files are parsed, potentially leading to excessive memory allocation. This can result in application instability or denial of service, as the software may consume an inordinate amount of resources when attempting to process these harmful files.

Affected Version(s)

golang.org/x/image/font/sfnt 0 < 0.39.0

References

https://go.dev/cl/761180

https://go.dev/issue/78382

https://pkg.go.dev/vuln/GO-2026-4962

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Mar 23, 2026

Credit

Andy Gill, ZephrSec Ltd

CVE-2026-33812 Data

JSON