CVE-2026-33813

The vulnerability is in the Go x/image/webp package, specifically during the decoding of WebP images on 32-bit platforms. When a WebP image has a canvas size (width * height) that exceeds the maximum value representable by a 32-bit signed integer (2,147,483,647), the decoded image becomes corrupt and will trigger a panic when accessed [2].

An attacker can exploit this by supplying a specially crafted WebP image (e.g., one with an invalid, large canvas size in the VP8X header) to an application that uses the vulnerable library. No authentication is required, as the attack is triggered simply by parsing the image [1]. The issue stems from the lack of maximum size checks, contrary to the WebP specification which specifies that canvas size must not exceed 2^32-1 pixels [2].

The impact is a denial-of-service (DoS) condition: the application panics and crashes, affecting availability. On 32-bit platforms, the overflow leads to a corrupt internal representation that panics on use, while on 64-bit platforms the issue might manifest differently (e.g., memory exhaustion) [1][2].

A fix has been committed to the Go repository (issue 78407) and is included in the latest release of the relevant x/image package. Users should update to the patched version [1][2]. There is no indication that this vulnerability is being actively exploited in the wild.