CVE-2024-24792
Description
Parsing a corrupt or malicious image with invalid color indices can cause a panic.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Parsing a malicious TIFF image with invalid color indices in Go's x/image/tiff library causes a denial-of-service via panic.
Vulnerability
In the Go package x/image/tiff, when decoding a paletted TIFF image, the parser does not validate color indices against the palette size. A crafted image with indices outside the valid range is successfully parsed but later causes a panic when the At method accesses the color palette [2].
Exploitation
An attacker can trigger the vulnerability by supplying a specially crafted TIFF file. No authentication is required; any application that uses tiff.Decode on untrusted input is affected. The provided reproducer demonstrates a panic with an index out of range error, leading to program termination [2].
Impact
Successful exploitation results in a denial-of-service condition, as the panic crashes the application. The issue is rated CVSS 7.5 (High) [1].
Mitigation
The vulnerability is fixed in a subsequent release of golang.org/x/image. Users should update to the latest version of the package. The Go vulnerability database entry GO-2024-2937 [3] and the associated commit [1] provide details and patches.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
golang.org/x/imageGo | < 0.18.0 | 0.18.0 |
Affected products
22- osv-coords22 versionspkg:apk/chainguard/chainctlpkg:apk/chainguard/docker-credential-cgrpkg:apk/chainguard/gotenbergpkg:apk/chainguard/hugopkg:apk/chainguard/hugo-extendedpkg:apk/chainguard/mattermost-9pkg:apk/chainguard/mattermost-9-compatpkg:apk/chainguard/ollamapkg:apk/chainguard/ollama-cpupkg:apk/wolfi/hugopkg:apk/wolfi/hugo-extendedpkg:apk/wolfi/mattermost-9pkg:apk/wolfi/mattermost-9-compatpkg:apk/wolfi/ollamapkg:apk/wolfi/ollama-cpupkg:golang/golang.org/x/imagepkg:rpm/opensuse/gomuks&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/keybase-client&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/keybase-client&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/keybase-client&distro=openSUSE%20Tumbleweedpkg:rpm/suse/keybase-client&distro=SUSE%20Package%20Hub%2015%20SP5pkg:rpm/suse/keybase-client&distro=SUSE%20Package%20Hub%2015%20SP6
< 0.2.59-r0+ 21 more
- (no CPE)range: < 0.2.59-r0
- (no CPE)range: < 0.2.59-r0
- (no CPE)range: < 8.7.0-r1
- (no CPE)range: < 0.128.0-r1
- (no CPE)range: < 0.129.0-r0
- (no CPE)range: < 9.9.0-r1
- (no CPE)range: < 9.9.0-r1
- (no CPE)range: < 0.4.0-r1
- (no CPE)range: < 0.4.0-r1
- (no CPE)range: < 0.128.0-r1
- (no CPE)range: < 0.129.0-r0
- (no CPE)range: < 9.9.0-r1
- (no CPE)range: < 9.9.0-r1
- (no CPE)range: < 0.4.0-r1
- (no CPE)range: < 0.4.0-r1
- (no CPE)range: < 0.18.0
- (no CPE)range: < 0.3.0-3.1
- (no CPE)range: < 6.2.8-bp156.2.6.1
- (no CPE)range: < 6.2.8-bp156.2.6.1
- (no CPE)range: < 6.3.1-2.1
- (no CPE)range: < 6.2.8-bp156.2.6.1
- (no CPE)range: < 6.2.8-bp156.2.6.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-9phm-fm57-rhg8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-24792ghsaADVISORY
- cs.opensource.google/go/x/imageghsaPACKAGE
- go.dev/cl/588115nvdWEB
- go.dev/issue/67624nvdWEB
- pkg.go.dev/vuln/GO-2024-2937nvdWEB
News mentions
0No linked articles in our index yet.