Excessive CPU consumption when decoding 0-height images in golang.org/x/image/tiff
Description
A maliciously-crafted image can cause excessive CPU consumption in decoding. A tiled image with a height of 0 and a very large width can cause excessive CPU consumption, despite the image size (width * height) appearing to be zero.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A crafted image with zero height and large width causes excessive CPU consumption in Go image decoding due to a flawed size check.
Vulnerability
Description A tiled image crafted with a height of zero and a very large width triggers excessive CPU consumption during decoding. The image size (width times height) appears to be zero, bypassing naive size checks, but the decoder still processes many tiles or pixels because of the large width. This root cause lies in the image decoding code where the product check is insufficient.
Attack
Vector An attacker can exploit this by supplying a maliciously-crafted image file to an application that uses Go's image decoding libraries. No authentication is required; the attack can be delivered via uploaded images, email attachments, or any channel where images are processed. The bloat in width forces the decoder to allocate unnecessary resources, leading to CPU exhaustion.
Impact
Successful exploitation results in a denial-of-service (DoS) condition due to high CPU consumption. The server or client processing the image becomes unresponsive or significantly degraded. While no data is compromised, availability is severely impacted.
Mitigation
Go project has issued patches and the issue is tracked as GO-2023-1990 [2]. Affected users should update to the patched versions of the Go image package. Fedora packages have also been updated [3][4]. No workaround is known; updating is the recommended action.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
golang.org/x/imageGo | < 0.10.0 | 0.10.0 |
Affected products
2- golang.org/x/image/golang.org/x/image/tiffv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
13- github.com/advisories/GHSA-j3p8-6mrq-6g7hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-29407ghsaADVISORY
- go.dev/cl/514897ghsaWEB
- go.dev/issue/61581ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KO54NBDUJXKAZNGCFOEYL2LKK2RQP6K6ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWH6Q7NVM4MV3GWFEU4PA67AWZHVFJQ2ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XZTEP6JYILRBNDTNWTEQ5D4QUUVQBESKghsaWEB
- pkg.go.dev/vuln/GO-2023-1990ghsaWEB
- security.netapp.com/advisory/ntap-20230831-0009ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KO54NBDUJXKAZNGCFOEYL2LKK2RQP6K6/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XWH6Q7NVM4MV3GWFEU4PA67AWZHVFJQ2/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XZTEP6JYILRBNDTNWTEQ5D4QUUVQBESK/mitre
- security.netapp.com/advisory/ntap-20230831-0009/mitre
News mentions
0No linked articles in our index yet.