CVE-2026-46599

Published: May 29, 2026

Modified: Jun 1, 2026

PUBLISHED

Description

The TIFF decoder does not place a limit on the size of PackBits-compressed data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height and encoded size) to make the decoder decode large amounts of compressed data.

Vendor	Product	Versions
golang.org/x/image	golang.org/x/image/tiff	affected `0 - < 0.41.0`

References

https://go.dev/issue/79577

https://go.dev/cl/759960

https://groups.google.com/g/golang-announce/c/uhYX90BlBvI

https://pkg.go.dev/vuln/GO-2026-5032

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-46599

Description

Affected Products

References