{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33813", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2026-03-23T20:35:32.814Z", "datePublished": "2026-04-21T19:21:27.644Z", "dateUpdated": "2026-04-22T15:34:46.427Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-04-21T19:21:27.644Z"}, "title": "Panic when decoding large WEBP image on 32-bit platforms in golang.org/x/image", "descriptions": [{"lang": "en", "value": "Parsing a WEBP image with an invalid, large size panics on 32-bit platforms."}], "affected": [{"vendor": "golang.org/x/image", "product": "golang.org/x/image/webp", "collectionURL": "https://pkg.go.dev", "packageName": "golang.org/x/image/webp", "versions": [{"version": "0", "lessThan": "0.39.0", "status": "affected", "versionType": "semver"}], "programRoutines": [{"name": "decode"}, {"name": "Decode"}, {"name": "DecodeConfig"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-190: Integer Overflow or Wraparound"}]}], "references": [{"url": "https://go.dev/cl/759860"}, {"url": "https://go.dev/issue/78407"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4961"}], "credits": [{"lang": "en", "value": "Tristan Madani"}]}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T15:23:43.643284Z", "id": "CVE-2026-33813", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T15:34:46.427Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-33813", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T15:23:43.643284Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T15:23:59.710Z"}}], "cna": {"title": "Panic when decoding large WEBP image on 32-bit platforms in golang.org/x/image", "credits": [{"lang": "en", "value": "Tristan Madani"}], "affected": [{"vendor": "golang.org/x/image", "product": "golang.org/x/image/webp", "versions": [{"status": "affected", "version": "0", "lessThan": "0.39.0", "versionType": "semver"}], "packageName": "golang.org/x/image/webp", "collectionURL": "https://pkg.go.dev", "defaultStatus": "unaffected", "programRoutines": [{"name": "decode"}, {"name": "Decode"}, {"name": "DecodeConfig"}]}], "references": [{"url": "https://go.dev/cl/759860"}, {"url": "https://go.dev/issue/78407"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4961"}], "descriptions": [{"lang": "en", "value": "Parsing a WEBP image with an invalid, large size panics on 32-bit platforms."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-190: Integer Overflow or Wraparound"}]}], "providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-04-21T19:21:27.644Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33813", "state": "PUBLISHED", "dateUpdated": "2026-04-22T15:34:46.427Z", "dateReserved": "2026-03-23T20:35:32.814Z", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "datePublished": "2026-04-21T19:21:27.644Z", "assignerShortName": "Go"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Parsing a WEBP image with an invalid, large size panics on 32-bit platforms."}], "id": "CVE-2026-33813", "lastModified": "2026-04-22T21:24:26.997", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-21T20:16:56.387", "references": [{"source": "security@golang.org", "url": "https://go.dev/cl/759860"}, {"source": "security@golang.org", "url": "https://go.dev/issue/78407"}, {"source": "security@golang.org", "url": "https://pkg.go.dev/vuln/GO-2026-4961"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Awaiting Analysis"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.39.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "golang.org/x/image/webp", "source": "cna", "vendor": "golang.org/x/image"}, "product": "image", "vendor": "golang"}], "analysis": {"en": {"generated_at": "2026-04-27T19:48:22.361781+00:00", "value": {"mitigation_remediation": ["Upgrade golang.org/x/image/webp to a patched version.", "Validate WebP images before decoding to reject oversized files.", "Run the application on a 64\u2011bit platform or isolate 32\u2011bit execution to prevent the overflow from causing a crash."], "summary": {"action": "Apply Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "All versions of the golang.org/x/image/webp package used in Go applications on 32\u2011bit operating systems are affected. The vulnerability is tied to the WebP decoding code and is present until the library is updated with the fix described in the referenced Go issue.", "description_and_impact": "A WebP image decoder in golang.org/x/image/webp panics when parsing an image with an invalid, very large size on 32\u2011bit platforms. The panic occurs due to improper handling of the size value during parsing, causing the application to terminate. This failure to validate input leads to a denial of service because the application crashes when encountering the malformed image.", "risk_and_exploitability": "The exploit requires an attacker to supply a crafted WebP file with an oversized size field. On 32\u2011bit systems, the decoder will panic and terminate the process. No public exploit is listed, and the EPSS score of 0.00019 indicates a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers can trigger the issue from any environment that feeds WebP data to the decoder, but the risk is low for exposed services because the likelihood of exploitation is extremely low, even though the CVSS score of 7.5 shows the potential impact is moderate to high if exploited."}}}}, "created": "2026-04-22T05:30:09.560991+00:00", "updated": "2026-04-27T20:00:05.651094+00:00", "vendors": ["golang", "golang$PRODUCT$image"], "weaknesses": ["CWE-680"]}