WebP Decoder Panic in Go Programming Language by Google
CVE-2026-46601

Currently unrated

Key Information:

Vendor: Golang.org/x/image
Status: Golang.org/x/image/webp
Vendor: CVE Published:; 25 June 2026

🔔 Create Golang.org/x/image Vulnerability Alert

What is CVE-2026-46601?

The WebP decoder in the Go programming language has a vulnerability that can cause a panic during the processing of VP8 chunks when their dimensions do not align with the expected canvas size. This mismatch can lead to unexpected behavior and service disruptions, making it essential for users to update their Go environments to prevent exploitation.

Affected Version(s)

golang.org/x/image/webp 0 < 0.43.0

References

https://go.dev/cl/787681

https://go.dev/issue/79869

https://pkg.go.dev/vuln/GO-2026-5061

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
May 15, 2026

Credit

Lucas Futures (GitHub: gn00295120)

CVE-2026-46601 Data

JSON