CVE-2026-46599 golang.org/x/image CVE debrief

Who should care

Organizations running Go applications that process TIFF images from untrusted sources, including web services, document processing pipelines, image conversion tools, and security scanning products.

Technical summary

The Go standard library's image/tiff package contains a vulnerability in its PackBits decompression implementation. PackBits is a run-length encoding compression scheme used in TIFF images. The decoder fails to validate or limit the size of decompressed data relative to the input, allowing an attacker to craft a small TIFF image that expands to consume excessive memory during decoding. This is a classic 'decompression bomb' or 'zip bomb' style attack adapted to the TIFF format. The vulnerability affects applications that process untrusted TIFF images, potentially causing denial of service through memory exhaustion or out-of-memory crashes.

Defensive priority

high

Recommended defensive actions

• Upgrade Go to the latest patched version as indicated in the Go security announcement
• Review applications processing untrusted TIFF images for resource exhaustion risks
• Implement input validation and resource limits for image processing pipelines
• Monitor Go vulnerability database at pkg.go.dev/vuln for additional guidance

Evidence notes

Vulnerability confirmed through official Go security channels including golang-announce mailing list and Go vulnerability database entry GO-2026-5032. Fix implemented in Go change list 759960.

Official resources