{"id":"GO-2026-4815","summary":"OOM from malicious IFD offset in golang.org/x/image/tiff","details":"A maliciously crafted TIFF file can cause image decoding to attempt to allocate up 4GiB of memory, causing either excessive resource consumption or an out-of-memory error.","aliases":["CVE-2026-33809","GHSA-44p7-9xx4-hf2g"],"modified":"2026-05-15T10:59:06.494407614Z","published":"2026-03-25T18:02:02Z","related":["CGA-f77h-3r3h-h42j","RHSA-2026:7291","RHSA-2026:7385"],"database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2026-4815"},"references":[{"type":"FIX","url":"https://go.dev/cl/757660"},{"type":"REPORT","url":"https://go.dev/issue/78267"}],"affected":[{"package":{"name":"golang.org/x/image","ecosystem":"Go","purl":"pkg:golang/golang.org/x/image"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.38.0"}]}],"ecosystem_specific":{"imports":[{"path":"golang.org/x/image/tiff","symbols":["Decode","DecodeConfig","buffer.ReadAt","buffer.Slice","buffer.fill"]}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2026-4815.json"}}],"schema_version":"1.7.5","credits":[{"name":"Andy Gill, ZephrSec Ltd"}]}