—

GO-2026-5062

Lack of limit on tile sizes in x/image/tiff in golang.org/x/image

Details

The TIFF decoder does not set a limit on the size of tiles in tiled images, permitting a malicious or corrupt image containing a very large tile to cause unbounded memory consumption.

Are you affected?

Enter the version of the package you're using.

Affected packages

Go / golang.org/x/image

Introduced in: 0 Fixed in: 0.43.0

Fix go get golang.org/x/image@v0.43.0

References

https://go.dev/cl/788422 [FIX]
https://go.dev/issue/79905 [REPORT]