Excessive resource consumption in golang.org/x/image/tiff

Root

Cause

The vulnerability lies in the TIFF decoder, which does not impose a limit on the size of compressed tile data. A small image (in both pixel dimensions and encoded size) can contain a tile with an extremely large amount of compressed data. When the decoder attempts to process this tile, it decompresses the oversized data, leading to excessive memory consumption and CPU usage. This is a classic missing bounds check on compressed input streams. [1]

Exploitation

Vector

An attacker crafts a malicious TIFF image with small pixel width/height but with one or more tiles containing a large blob of compressed data. No special access or privileges are required beyond delivering the image to the target (e.g., via email, web upload, or direct file access). The decoder processes the image as usual, but the absence of a size limit causes it to allocate memory for and decompress the oversized tile data, consuming system resources proportional to the inflated data. [1]

Impact

Successful exploitation results in a Denial-of-Service (DoS) condition: the process running the decoder exhausts available memory and/or CPU, potentially crashing or becoming unresponsive. The impact is limited to availability; there is no indication of code execution or data exfiltration. The vulnerability can be triggered by a file that appears benign at first glance (small file size and dimensions). [1]

Mitigation

Status

As of the publication date (2023-08-02), a patch or workaround that introduces a maximum tile size check is required. The issue is tracked as CVE-2023-29408. Affected software distributors (e.g., Fedora) have released updates (referenced in package announcements [2], [3], [4]). Users should apply vendor patches or update to a fixed version of the TIFF library. No evidence of exploitation in the wild (KEV list) has been publicly documented at the time of writing.