DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-46599: CVE-2026-46599: Unrestricted Memory Allocation in golang.org/x/image/tiff PackBits Decoder

CVE-2026-46599: Unrestricted Memory Allocation in golang.org/x/image/tiff PackBits Decoder

Vulnerability ID: CVE-2026-46599
CVSS Score: 7.5
Published: 2026-07-02

CVE-2026-46599 (also identified by Go vulnerability alias GO-2026-5032) is a high-severity denial-of-service vulnerability in the Go image repository, specifically within the TIFF decoder's PackBits decompression engine. A lack of resource limits during the parsing of Run-Length Encoded PackBits streams allows an attacker to construct a crafted TIFF image that achieves significant decompression amplification. This flaw enables an unauthenticated remote attacker to exhaust system resources, leading to an Out-of-Memory crash or a prolonged application hang.

TL;DR

Unrestricted PackBits decompression in golang.org/x/image/tiff allows unauthenticated remote attackers to trigger denial of service via memory exhaustion using a crafted 2MB TIFF image that decompresses to 745MB.


Technical Details

  • CWE ID: CWE-770 (Allocation of Resources Without Limits or Throttling)
  • Attack Vector: Network (AV:N)
  • CVSS Score: 7.5 (High)
  • EPSS Score: 0.00353
  • EPSS Percentile: 27.35%
  • Exploit Status: No public functional exploit code (None/PoC-only)
  • KEV Status: Not in CISA's Known Exploited Vulnerabilities (KEV) catalog

Affected Systems

  • Go ecosystem applications using golang.org/x/image/tiff
  • Tailscale clients and mesh components
  • Rclone cloud storage utilities
  • Gitea self-hosted Git services
  • Kubescape CLI scanner
  • Echo web framework-driven backend services parsing multipart image structures
  • golang.org/x/image/tiff: < v0.41.0 (Fixed in: v0.41.0)

Code Analysis

Commit: fe8ae45

Limit PackBits decompression output size to prevent decompression bombs

Mitigation Strategies

  • Upgrade golang.org/x/image to v0.41.0 or higher
  • Implement application-level file validation to block TIFF files
  • Enforce strict HTTP request body size limits
  • Rebuild and redeploy all statically compiled Go binaries

Remediation Steps:

  1. Navigate to the Go module directory
  2. Execute 'go get golang.org/x/image@v0.41.0'
  3. Run 'go mod tidy' to update go.sum
  4. Recompile application binaries with 'go build'
  5. Deploy the updated executable to production environments

References


Read the full report for CVE-2026-46599 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)