CVE-2026-46602 - Vulnerability Details - OpenCVE

The TIFF decoder does not set a limit on the size of tiles in tiled images, permitting a malicious or corrupt image containing a very large tile to cause unbounded memory consumption.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Golang	Image

No data.

No data.

References

Link	Providers
https://go.dev/cl/788422
https://go.dev/issue/79905
https://pkg.go.dev/vuln/GO-2026-5062

History

Fri, 26 Jun 2026 19:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-770 CWE-789

Fri, 26 Jun 2026 18:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-770 CWE-789

Fri, 26 Jun 2026 16:30:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 26 Jun 2026 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Golang Golang image
Vendors & Products		Golang Golang image

Thu, 25 Jun 2026 22:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-770 CWE-789

Thu, 25 Jun 2026 20:00:00 +0000

Type	Values Removed	Values Added
Description		The TIFF decoder does not set a limit on the size of tiles in tiled images, permitting a malicious or corrupt image containing a very large tile to cause unbounded memory consumption.
Title		Lack of limit on tile sizes in x/image/tiff in golang.org/x/image
References		https://go.dev/cl/788422 https://go.dev/issue/79905 https://pkg.go.dev/vuln/GO-2026-5062

MITRE

Status: PUBLISHED

Assigner: Go

Published: 2026-06-25T19:47:21.690Z

Updated: 2026-06-26T16:07:00.792Z

Reserved: 2026-05-15T17:35:00.814Z

Link: CVE-2026-46602

Vulnrichment

Updated: 2026-06-26T16:06:55.322Z

NVD

No data.

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-46602", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2026-05-15T17:35:00.814Z", "datePublished": "2026-06-25T19:47:21.690Z", "dateUpdated": "2026-06-26T16:07:00.792Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-06-25T19:47:21.690Z"}, "title": "Lack of limit on tile sizes in x/image/tiff in golang.org/x/image", "descriptions": [{"lang": "en", "value": "The TIFF decoder does not set a limit on the size of tiles in tiled images, permitting a malicious or corrupt image containing a very large tile to cause unbounded memory consumption."}], "affected": [{"vendor": "golang.org/x/image", "product": "golang.org/x/image/tiff", "collectionURL": "https://pkg.go.dev", "packageName": "golang.org/x/image/tiff", "versions": [{"version": "0", "lessThan": "0.43.0", "status": "affected", "versionType": "semver"}], "programRoutines": [{"name": "Decode"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-789: Memory Allocation with Excessive Size Value"}]}], "references": [{"url": "https://go.dev/cl/788422"}, {"url": "https://go.dev/issue/79905"}, {"url": "https://pkg.go.dev/vuln/GO-2026-5062"}], "credits": [{"lang": "en", "value": "Prasanna Dabi (GitHub: prasanna8585)"}]}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-06-26T16:05:58.046352Z", "id": "CVE-2026-46602", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-26T16:07:00.792Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-46602", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-26T16:05:58.046352Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-26T16:06:55.322Z"}}], "cna": {"title": "Lack of limit on tile sizes in x/image/tiff in golang.org/x/image", "credits": [{"lang": "en", "value": "Prasanna Dabi (GitHub: prasanna8585)"}], "affected": [{"vendor": "golang.org/x/image", "product": "golang.org/x/image/tiff", "versions": [{"status": "affected", "version": "0", "lessThan": "0.43.0", "versionType": "semver"}], "packageName": "golang.org/x/image/tiff", "collectionURL": "https://pkg.go.dev", "defaultStatus": "unaffected", "programRoutines": [{"name": "Decode"}]}], "references": [{"url": "https://go.dev/cl/788422"}, {"url": "https://go.dev/issue/79905"}, {"url": "https://pkg.go.dev/vuln/GO-2026-5062"}], "descriptions": [{"lang": "en", "value": "The TIFF decoder does not set a limit on the size of tiles in tiled images, permitting a malicious or corrupt image containing a very large tile to cause unbounded memory consumption."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-789: Memory Allocation with Excessive Size Value"}]}], "providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-06-25T19:47:21.690Z"}}}, "cveMetadata": {"cveId": "CVE-2026-46602", "state": "PUBLISHED", "dateUpdated": "2026-06-26T16:07:00.792Z", "dateReserved": "2026-05-15T17:35:00.814Z", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "datePublished": "2026-06-25T19:47:21.690Z", "assignerShortName": "Go"}, "dataVersion": "5.2"}