Out-of-Bounds Vulnerability in TIFF Decoder Affects Go Programming Language
CVE-2026-46604

Currently unrated

Key Information:

Vendor: Golang.org/x/image
Status: Golang.org/x/image/tiff
Vendor: CVE Published:; 26 June 2026

🔔 Create Golang.org/x/image Vulnerability Alert

What is CVE-2026-46604?

A vulnerability exists in the TIFF decoder of the Go programming language, which may lead to application crashes when processing invalid images. Specifically, an out-of-bounds strip offset could cause the decoder to panic, resulting in a denial of service. Developers and users handling TIFF images need to be aware of this flaw to ensure their applications remain stable and secure.

Affected Version(s)

golang.org/x/image/tiff 0 < 0.43.0

References

https://go.dev/cl/788421

https://go.dev/issue/80122

https://pkg.go.dev/vuln/GO-2026-5066

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 26, 2026
Vulnerability Reserved
May 15, 2026

Credit

sorte

CVE-2026-46604 Data

JSON