CVE-2026-46604

HIGH

Panic decoding image with out-of-bounds strip offset in x/image/tiff in golang.org/x/image

Title source: cna
STIX 2.1

Description

The TIFF decoder can panic when decoding an invalid image with an out-of-bounds strip offset.

Scores

CVSS v3 7.5
EPSS 0.0035
EPSS Percentile 26.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-787
Status published
Products (2)
golang/tiff < 0.43.0
golang.org/x/image/golang.org/x/image/tiff < 0.43.0
Published Jun 26, 2026
Tracked Since Jun 27, 2026