VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 9, 2026· Updated Jun 9, 2026

CVE-2026-33582

CVE-2026-33582

Description

Apache Answer 2.0.0 and earlier are vulnerable to an Out-of-Memory error via crafted TIFF uploads, leading to a server crash.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache Answer 2.0.0 and earlier are vulnerable to an Out-of-Memory error via crafted TIFF uploads, leading to a server crash.

Vulnerability

An Unrestricted Upload of File with Dangerous Type vulnerability exists in Apache Answer through version 2.0.0. A specially crafted TIFF image file can trigger excessive memory allocation during the image decoding process, leading to an Out-of-Memory error.

Exploitation

An authenticated user can exploit this vulnerability by uploading a crafted TIFF image. This action triggers the excessive memory allocation during image decoding, which is sufficient to cause the server process to crash.

Impact

Successful exploitation of this vulnerability allows an authenticated user to cause the Apache Answer server process to crash. This results in a denial-of-service condition for the application.

Mitigation

Users are recommended to upgrade to Apache Answer version 2.0.1, which addresses this issue. The fixed version was released on June 9, 2026. [1]

References
  1. security - CVE-2026-33582: Apache Answer: Uploading specially crafted TIFF files causes an Out-of-Memory error

AI Insight generated on Jun 9, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

1
cfc3e54f30cc

fix(image): enhance image decoding by implementing format-specific checks for JPEG, PNG, and GIF

https://github.com/apache/incubator-answerLinkinStarsMar 25, 2026Fixed in 2.0.1via llm-release-walk
commit
1 file changed · +43 16
  • pkg/checker/file_type.go+43 16 modified
    @@ -22,9 +22,9 @@ package checker
 import (
 	"fmt"
 	"image"
-	_ "image/gif" // use init to support decode jpeg,jpg,png,gif
-	_ "image/jpeg"
-	_ "image/png"
+	"image/gif"
+	"image/jpeg"
+	"image/png"
 	"io"
 	"os"
 	"path/filepath"
@@ -47,25 +47,26 @@ func IsUnAuthorizedExtension(fileName string, allowedExtensions []string) bool {
 func DecodeAndCheckImageFile(localFilePath string, maxImageMegapixel int) bool {
 	ext := strings.ToLower(strings.TrimPrefix(filepath.Ext(localFilePath), "."))
 	switch ext {
-	case "jpg", "jpeg", "png", "gif": // only allow for `image/jpeg, image/jpg, image/png, image/gif`
-		if !decodeAndCheckImageFile(localFilePath, maxImageMegapixel, standardImageConfigCheck) {
+	case "jpg", "jpeg", "png", "gif":
+		if !decodeAndCheckImageFile(localFilePath, maxImageMegapixel, ext, formatSpecificConfigCheck) {
 			return false
 		}
-		if !decodeAndCheckImageFile(localFilePath, maxImageMegapixel, standardImageCheck) {
+		if !decodeAndCheckImageFile(localFilePath, maxImageMegapixel, ext, formatSpecificImageCheck) {
 			return false
 		}
 	case "webp":
-		if !decodeAndCheckImageFile(localFilePath, maxImageMegapixel, webpImageConfigCheck) {
+		if !decodeAndCheckImageFile(localFilePath, maxImageMegapixel, ext, webpImageConfigCheck) {
 			return false
 		}
-		if !decodeAndCheckImageFile(localFilePath, maxImageMegapixel, webpImageCheck) {
+		if !decodeAndCheckImageFile(localFilePath, maxImageMegapixel, ext, webpImageCheck) {
 			return false
 		}
 	}
 	return true
 }
 
-func decodeAndCheckImageFile(localFilePath string, maxImageMegapixel int, checker func(file io.Reader, maxImageMegapixel int) error) bool {
+func decodeAndCheckImageFile(localFilePath string, maxImageMegapixel int, ext string,
+	checker func(file io.Reader, ext string, maxImageMegapixel int) error) bool {
 	file, err := os.Open(localFilePath)
 	if err != nil {
 		log.Errorf("open file error: %v", err)
@@ -75,15 +76,30 @@ func decodeAndCheckImageFile(localFilePath string, maxImageMegapixel int, checke
 		_ = file.Close()
 	}()
 
-	if err = checker(file, maxImageMegapixel); err != nil {
+	if err = checker(file, ext, maxImageMegapixel); err != nil {
 		log.Errorf("check image format error: %v", err)
 		return false
 	}
 	return true
 }
 
-func standardImageConfigCheck(file io.Reader, maxImageMegapixel int) error {
-	config, _, err := image.DecodeConfig(file)
+// formatSpecificConfigCheck decodes image config using a format-specific decoder
+// based on the file extension. This avoids calling image.DecodeConfig() which
+// dispatches by magic bytes and can invoke unintended decoders (e.g., TIFF)
+// registered by transitive dependencies.
+func formatSpecificConfigCheck(file io.Reader, ext string, maxImageMegapixel int) error {
+	var config image.Config
+	var err error
+	switch ext {
+	case "jpg", "jpeg":
+		config, err = jpeg.DecodeConfig(file)
+	case "png":
+		config, err = png.DecodeConfig(file)
+	case "gif":
+		config, err = gif.DecodeConfig(file)
+	default:
+		return fmt.Errorf("unsupported image format: %s", ext)
+	}
 	if err != nil {
 		return fmt.Errorf("decode image config error: %v", err)
 	}
@@ -93,15 +109,26 @@ func standardImageConfigCheck(file io.Reader, maxImageMegapixel int) error {
 	return nil
 }
 
-func standardImageCheck(file io.Reader, maxImageMegapixel int) error {
-	_, _, err := image.Decode(file)
+// formatSpecificImageCheck fully decodes the image using a format-specific decoder.
+func formatSpecificImageCheck(file io.Reader, ext string, _ int) error {
+	var err error
+	switch ext {
+	case "jpg", "jpeg":
+		_, err = jpeg.Decode(file)
+	case "png":
+		_, err = png.Decode(file)
+	case "gif":
+		_, err = gif.Decode(file)
+	default:
+		return fmt.Errorf("unsupported image format: %s", ext)
+	}
 	if err != nil {
 		return fmt.Errorf("decode image error: %v", err)
 	}
 	return nil
 }
 
-func webpImageConfigCheck(file io.Reader, maxImageMegapixel int) error {
+func webpImageConfigCheck(file io.Reader, _ string, maxImageMegapixel int) error {
 	config, err := webp.DecodeConfig(file)
 	if err != nil {
 		return fmt.Errorf("decode webp image config error: %v", err)
@@ -112,7 +139,7 @@ func webpImageConfigCheck(file io.Reader, maxImageMegapixel int) error {
 	return nil
 }
 
-func webpImageCheck(file io.Reader, maxImageMegapixel int) error {
+func webpImageCheck(file io.Reader, _ string, _ int) error {
 	_, err := webp.Decode(file)
 	if err != nil {
 		return fmt.Errorf("decode webp image error: %v", err)

Vulnerability mechanics

Root cause

"The image decoding logic did not properly restrict the types of images that could be decoded, leading to excessive memory allocation."

Attack vector

An authenticated user can upload a crafted TIFF image. The server attempts to decode this image, triggering excessive memory allocation during the decoding process. This resource exhaustion causes the server process to crash, leading to a denial-of-service condition.

Affected code

The vulnerability lies within the `pkg/checker/file_type.go` file, specifically in the `decodeAndCheckImageFile` function and its related checking functions. The commit modifies how image decoding is handled, moving from a more generic approach to format-specific decoding to prevent issues with unexpected image types.

What the fix does

The patch enhances image decoding by implementing format-specific checks for JPEG, PNG, and GIF files in `pkg/checker/file_type.go` [patch_id=5343581]. Previously, the generic `image.DecodeConfig` and `image.Decode` functions could be indirectly invoked, potentially leading to unintended decoding of formats like TIFF. The updated code explicitly uses format-specific decoders (e.g., `jpeg.DecodeConfig`, `png.DecodeConfig`) and checks the file extension, preventing the problematic excessive memory allocation caused by malformed TIFF images.

Preconditions

  • authThe attacker must be an authenticated user.
  • inputThe attacker must be able to upload a file, specifically a crafted TIFF image.

Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.