Denial of service via crafted TIFF image in golang.org/x/image/tiff
Description
An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This could lead to a denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A malformed TIFF image triggers excessive memory allocation in Go's image/tiff DecodeConfig, causing denial of service.
Root
Cause CVE-2022-41727 is a denial of service vulnerability in Go's image/tiff package. The DecodeConfig function does not properly validate TIFF image headers, allowing an attacker to craft a malformed TIFF that causes a significant memory allocation [1][2]. This is due to improper handling of integer arithmetic during tag parsing, leading to an oversized buffer allocation.
Attack
Vector An attacker can exploit this by providing a specially crafted TIFF image to any application that uses the vulnerable DecodeConfig function to process untrusted TIFF files. No authentication is required; the attack can be remote if the application accepts user-supplied images [2][3].
Impact
Successful exploitation results in memory exhaustion, leading to a denial of service condition. The affected process may crash or become unresponsive, disrupting availability [1].
Mitigation
The vulnerability is fixed in Go version 1.20.6 and 1.19.11, as well as in the golang.org/x/image module [2][3]. Users should update to patched versions. Fedora has also released updates [4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
golang.org/x/imageGo | < 0.5.0 | 0.5.0 |
Affected products
2- golang.org/x/image/golang.org/x/image/tiffv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
12- github.com/advisories/GHSA-qgc7-mgm3-q253ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-41727ghsaADVISORY
- go.dev/cl/468195ghsaWEB
- go.dev/issue/58003ghsaWEB
- groups.google.com/g/golang-announce/c/ag-FiyjlD5oghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KO54NBDUJXKAZNGCFOEYL2LKK2RQP6K6ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWH6Q7NVM4MV3GWFEU4PA67AWZHVFJQ2ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XZTEP6JYILRBNDTNWTEQ5D4QUUVQBESKghsaWEB
- pkg.go.dev/vuln/GO-2023-1572ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KO54NBDUJXKAZNGCFOEYL2LKK2RQP6K6/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWH6Q7NVM4MV3GWFEU4PA67AWZHVFJQ2/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XZTEP6JYILRBNDTNWTEQ5D4QUUVQBESK/mitre
News mentions
0No linked articles in our index yet.