Out-of-Range Palette Index Vulnerability in Go Programming Language
CVE-2026-42500

5.3MEDIUM

Key Information:

Vendor: Golang.org/x/image
Status: Golang.org/x/image/bmp
Vendor: CVE Published:; 29 May 2026

🔔 Create Golang.org/x/image Vulnerability Alert

What is CVE-2026-42500?

This vulnerability occurs when an application processes a paletted BMP file. If the palette index used to decode the file is out of range, it results in a panic during the pixel access of the invalid image. This can lead to potential crashes or unexpected behavior in applications that rely on image processing in the Go programming language.

Affected Version(s)

golang.org/x/image/bmp 0 < 0.41.0

References

https://go.dev/issue/79576

https://groups.google.com/g/golang-announce/c/uhYX90BlBvI

https://go.dev/cl/781500

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 29, 2026
Vulnerability Reserved
Apr 28, 2026

CVE-2026-42500 Data

JSON