CVE-2026-46599: Unrestricted Memory Allocation in golang.org/x/image/tiff PackBits Decoder
Vulnerability ID: CVE-2026-46599
CVSS Score: 7.5
Published: 2026-07-02
CVE-2026-46599 (also identified by Go vulnerability alias GO-2026-5032) is a high-severity denial-of-service vulnerability in the Go image repository, specifically within the TIFF decoder's PackBits decompression engine. A lack of resource limits during the parsing of Run-Length Encoded PackBits streams allows an attacker to construct a crafted TIFF image that achieves significant decompression amplification. This flaw enables an unauthenticated remote attacker to exhaust system resources, leading to an Out-of-Memory crash or a prolonged application hang.
TL;DR
Unrestricted PackBits decompression in golang.org/x/image/tiff allows unauthenticated remote attackers to trigger denial of service via memory exhaustion using a crafted 2MB TIFF image that decompresses to 745MB.
Technical Details
- CWE ID: CWE-770 (Allocation of Resources Without Limits or Throttling)
- Attack Vector: Network (AV:N)
- CVSS Score: 7.5 (High)
- EPSS Score: 0.00353
- EPSS Percentile: 27.35%
- Exploit Status: No public functional exploit code (None/PoC-only)
- KEV Status: Not in CISA's Known Exploited Vulnerabilities (KEV) catalog
Affected Systems
- Go ecosystem applications using golang.org/x/image/tiff
- Tailscale clients and mesh components
- Rclone cloud storage utilities
- Gitea self-hosted Git services
- Kubescape CLI scanner
- Echo web framework-driven backend services parsing multipart image structures
-
golang.org/x/image/tiff: < v0.41.0 (Fixed in:
v0.41.0)
Code Analysis
Commit: fe8ae45
Limit PackBits decompression output size to prevent decompression bombs
Mitigation Strategies
- Upgrade golang.org/x/image to v0.41.0 or higher
- Implement application-level file validation to block TIFF files
- Enforce strict HTTP request body size limits
- Rebuild and redeploy all statically compiled Go binaries
Remediation Steps:
- Navigate to the Go module directory
- Execute 'go get golang.org/x/image@v0.41.0'
- Run 'go mod tidy' to update go.sum
- Recompile application binaries with 'go build'
- Deploy the updated executable to production environments
References
- NVD Record for CVE-2026-46599
- CVE.org Authority Record
- Go Vulnerability Database Entry
- Go Issue Tracker Thread
Read the full report for CVE-2026-46599 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)