VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-yj5c-4wbb-gbcx

Essentials
Severities (29)
References (9)
Severity details (14)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-yj5c-4wbb-gbcx
Aliases	CVE-2026-33809 GHSA-44p7-9xx4-hf2g
Summary	Go Images vulnerable to an out-of-memory error via a crafted TIFF file A maliciously crafted TIFF file can cause image decoding to attempt to allocate up 4GiB of memory, causing either excessive resource consumption or an out-of-memory error.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-770	Allocation of Resources Without Limits or Throttling
CWE-1285	Improper Validation of Specified Index, Position, or Offset in Input
CWE-400	Uncontrolled Resource Consumption
CWE-434	Unrestricted Upload of File with Dangerous Type

System	Score	Found at
cvssv3	6.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33809.json
epss	0.00011	https://api.first.org/data/v1/epss?cve=CVE-2026-33809
epss	0.00012	https://api.first.org/data/v1/epss?cve=CVE-2026-33809
epss	0.00012	https://api.first.org/data/v1/epss?cve=CVE-2026-33809
epss	0.00012	https://api.first.org/data/v1/epss?cve=CVE-2026-33809
epss	0.00012	https://api.first.org/data/v1/epss?cve=CVE-2026-33809
epss	0.00036	https://api.first.org/data/v1/epss?cve=CVE-2026-33809
epss	0.00036	https://api.first.org/data/v1/epss?cve=CVE-2026-33809
epss	0.00036	https://api.first.org/data/v1/epss?cve=CVE-2026-33809
epss	0.00036	https://api.first.org/data/v1/epss?cve=CVE-2026-33809
epss	0.00036	https://api.first.org/data/v1/epss?cve=CVE-2026-33809
epss	0.00036	https://api.first.org/data/v1/epss?cve=CVE-2026-33809
epss	0.00036	https://api.first.org/data/v1/epss?cve=CVE-2026-33809
epss	0.00036	https://api.first.org/data/v1/epss?cve=CVE-2026-33809
epss	0.00036	https://api.first.org/data/v1/epss?cve=CVE-2026-33809
epss	0.00036	https://api.first.org/data/v1/epss?cve=CVE-2026-33809
cvssv3.1	5.3	https://cs.opensource.google/go/x/image
generic_textual	MODERATE	https://cs.opensource.google/go/x/image
cvssv3.1	5.3	https://go.dev/cl/757660
generic_textual	MODERATE	https://go.dev/cl/757660
ssvc	Track	https://go.dev/cl/757660
cvssv3.1	5.3	https://go.dev/issue/78267
generic_textual	MODERATE	https://go.dev/issue/78267
ssvc	Track	https://go.dev/issue/78267
cvssv3.1	5.3	https://nvd.nist.gov/vuln/detail/CVE-2026-33809
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2026-33809
cvssv3.1	5.3	https://pkg.go.dev/vuln/GO-2026-4815
generic_textual	MODERATE	https://pkg.go.dev/vuln/GO-2026-4815
ssvc	Track	https://pkg.go.dev/vuln/GO-2026-4815

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33809.json
		https://api.first.org/data/v1/epss?cve=CVE-2026-33809
		https://cs.opensource.google/go/x/image
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33809
		https://go.dev/cl/757660
		https://go.dev/issue/78267
		https://nvd.nist.gov/vuln/detail/CVE-2026-33809
		https://pkg.go.dev/vuln/GO-2026-4815
2451437		https://bugzilla.redhat.com/show_bug.cgi?id=2451437

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33809.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://cs.opensource.google/go/x/image

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://go.dev/cl/757660

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T20:05:32Z/ Found at https://go.dev/cl/757660

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://go.dev/issue/78267

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T20:05:32Z/ Found at https://go.dev/issue/78267

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-33809

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://pkg.go.dev/vuln/GO-2026-4815

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-25T20:05:32Z/ Found at https://pkg.go.dev/vuln/GO-2026-4815

Exploit Prediction Scoring System (EPSS)

Percentile	0.01533
EPSS Score	0.00011
Published At	April 24, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:53:24.514176+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-44p7-9xx4-hf2g/GHSA-44p7-9xx4-hf2g.json	38.0.0