Medium severity5.3NVD Advisory· Published Mar 25, 2026· Updated Apr 21, 2026
CVE-2026-33809
CVE-2026-33809
Description
A maliciously crafted TIFF file can cause image decoding to attempt to allocate up 4GiB of memory, causing either excessive resource consumption or an out-of-memory error.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
golang.org/x/imageGo | < 0.38.0 | 0.38.0 |
Affected products
66- osv-coords65 versionspkg:apk/chainguard/cgpkg:apk/chainguard/chainctlpkg:apk/chainguard/chainctl-fipspkg:apk/chainguard/gatuspkg:apk/chainguard/gatus-fipspkg:apk/chainguard/giteapkg:apk/chainguard/gitea-fipspkg:apk/chainguard/gitlab-workhorse-ce-18.10pkg:apk/chainguard/gitlab-workhorse-ce-18.11pkg:apk/chainguard/gitlab-workhorse-ce-18.8pkg:apk/chainguard/gitlab-workhorse-ce-18.9pkg:apk/chainguard/gitlab-workhorse-ce-fips-18.10pkg:apk/chainguard/gitlab-workhorse-ce-fips-18.11pkg:apk/chainguard/gitlab-workhorse-ce-fips-18.8pkg:apk/chainguard/gitlab-workhorse-ce-fips-18.9pkg:apk/chainguard/glabpkg:apk/chainguard/hugopkg:apk/chainguard/hugo-extendedpkg:apk/chainguard/hugo-fipspkg:apk/chainguard/kubescapepkg:apk/chainguard/kubescape-serverpkg:apk/chainguard/kubescape-server-downloaderpkg:apk/chainguard/kubescape-server-fipspkg:apk/chainguard/kubescape-server-fips-downloaderpkg:apk/chainguard/listmonkpkg:apk/chainguard/mailpitpkg:apk/chainguard/mailpit-fipspkg:apk/chainguard/mattermost-10.11pkg:apk/chainguard/mattermost-11.4pkg:apk/chainguard/mattermost-11.5pkg:apk/chainguard/mattermost-fips-10.11pkg:apk/chainguard/mattermost-fips-11.0pkg:apk/chainguard/mattermost-fips-11.1pkg:apk/chainguard/mattermost-fips-11.4pkg:apk/chainguard/mattermost-fips-11.5pkg:apk/chainguard/ollamapkg:apk/chainguard/ollama-fipspkg:apk/chainguard/pdfcpupkg:apk/chainguard/rclonepkg:apk/chainguard/rclone-fipspkg:apk/chainguard/seaweedfspkg:apk/chainguard/seaweedfs-fipspkg:apk/chainguard/seaweedfs-operatorpkg:apk/chainguard/seaweedfs-operator-fipspkg:apk/chainguard/tailscalepkg:apk/wolfi/gatuspkg:apk/wolfi/giteapkg:apk/wolfi/glabpkg:apk/wolfi/hugopkg:apk/wolfi/hugo-extendedpkg:apk/wolfi/kubescapepkg:apk/wolfi/mailpitpkg:apk/wolfi/mattermost-10.11pkg:apk/wolfi/mattermost-11.4pkg:apk/wolfi/mattermost-11.5pkg:apk/wolfi/ollamapkg:apk/wolfi/pdfcpupkg:apk/wolfi/rclonepkg:apk/wolfi/seaweedfspkg:apk/wolfi/tailscalepkg:golang/golang.org/x/imagepkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/neonmodem&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/pocketbase&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/rclone&distro=openSUSE%20Tumbleweed
< 0+ 64 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 18.11.2-r3
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 18.11.2-r3
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0.159.1-r1
- (no CPE)range: < 0.159.0-r1
- (no CPE)range: < 0.159.1-r1
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 6.0.0-r6
- (no CPE)range: < 1.29.4-r1
- (no CPE)range: < 1.29.4-r1
- (no CPE)range: < 10.11.13-r3
- (no CPE)range: < 11.4.3-r3
- (no CPE)range: < 11.5.1-r3
- (no CPE)range: < 10.11.13-r3
- (no CPE)range: < 11.0.7-r2
- (no CPE)range: < 11.1.3-r6
- (no CPE)range: < 11.4.3-r3
- (no CPE)range: < 11.5.3-r0
- (no CPE)range: < 0.19.0-r1
- (no CPE)range: < 0.19.0-r1
- (no CPE)range: < 0
- (no CPE)range: < 1.73.3-r1
- (no CPE)range: < 1.73.3-r1
- (no CPE)range: < 4.18-r0
- (no CPE)range: < 4.17-r2
- (no CPE)range: < 1.0.11-r7
- (no CPE)range: < 1.0.11-r6
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0.159.1-r1
- (no CPE)range: < 0.159.0-r1
- (no CPE)range: < 0
- (no CPE)range: < 1.29.4-r1
- (no CPE)range: < 10.11.13-r3
- (no CPE)range: < 11.4.3-r3
- (no CPE)range: < 11.5.1-r3
- (no CPE)range: < 0.19.0-r1
- (no CPE)range: < 0
- (no CPE)range: < 1.73.3-r1
- (no CPE)range: < 4.18-r0
- (no CPE)range: < 0
- (no CPE)range: < 0.38.0
- (no CPE)range: < 0.0.20260326T203309-150000.1.155.2
- (no CPE)range: < 1.0.7+git0.346d1d3-bp160.1.1
- (no CPE)range: < 0.37.3-1.1
- (no CPE)range: < 1.74.2-1.1
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-44p7-9xx4-hf2gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33809ghsaADVISORY
- pkg.go.dev/vuln/GO-2026-4815nvdVendor AdvisoryWEB
- cs.opensource.google/go/x/imageghsaPACKAGE
- go.dev/cl/757660nvdMailing ListWEB
- go.dev/issue/78267nvdIssue TrackingWEB
News mentions
0No linked articles in our index yet.