Unbounded Memory Consumption in Tiled Image Processing for Go Products
CVE-2026-46602

Currently unrated

Key Information:

Vendor: Golang.org/x/image
Status: Golang.org/x/image/tiff
Vendor: CVE Published:; 25 June 2026

🔔 Create Golang.org/x/image Vulnerability Alert

What is CVE-2026-46602?

The TIFF decoder within certain Go products lacks a restriction on the tile size of tiled images. This oversight allows an attacker to exploit the system by uploading a specially crafted image containing exceptionally large tiles, potentially leading to unbounded memory consumption. Such conditions may result in degraded performance or system crashes, as memory resources are overwhelmed. This vulnerability highlights the necessity for implementing proper size limitations to safeguard applications from malicious activities.

Affected Version(s)

golang.org/x/image/tiff 0 < 0.43.0

References

https://go.dev/cl/788422

https://go.dev/issue/79905

https://pkg.go.dev/vuln/GO-2026-5062

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
May 15, 2026

Credit

Prasanna Dabi (GitHub: prasanna8585)

CVE-2026-46602 Data

JSON