CVE-2026-33809: Go Images vulnerable to an out-of-memory error via a crafted TIFF file

March 25, 2026 (updated March 30, 2026)

A maliciously crafted TIFF file can cause image decoding to attempt to allocate up 4GiB of memory, causing either excessive resource consumption or an out-of-memory error.

References

cs.opensource.google/go/x/image
github.com/advisories/GHSA-44p7-9xx4-hf2g
go.dev/cl/757660
go.dev/issue/78267
nvd.nist.gov/vuln/detail/CVE-2026-33809
pkg.go.dev/vuln/GO-2026-4815

Code Behaviors & Features

Detect and mitigate CVE-2026-33809 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →