Plattform
go
Komponente
golang.org/x/image/webp
Behoben in
0.39.0
0.39.0
This vulnerability, CVE-2026-33813, involves a heap panic within the golang.org/x/image/webp library. An attacker can trigger this panic by providing a specially crafted WEBP image with an excessively large size. This results in a crash on 32-bit platforms, potentially leading to a denial-of-service condition. Affected versions include 0.0.0 through 0.39.0; the vulnerability is resolved in version 0.39.0.
The primary impact of CVE-2026-33813 is a denial-of-service (DoS). An attacker could exploit this by sending a malicious WEBP image to an application that utilizes the golang.org/x/image/webp library for image processing. The large size of the image triggers a heap panic, causing the application to crash. This is particularly concerning on 32-bit systems where memory resources are more constrained, making them more susceptible to this type of exploitation. The blast radius is limited to the affected application instance; however, repeated attacks could disrupt service availability. While no direct data exfiltration is possible, the DoS can be used as a distraction for other malicious activities.
CVE-2026-33813 is not currently listed on KEV or EPSS. The probability of exploitation is considered low due to the need for a crafted WEBP image and the vulnerability's specific impact on 32-bit systems. No public proof-of-concept (POC) code has been publicly disclosed as of the publication date. The vulnerability was published on 2026-04-21.
Exploit-Status
EPSS
0.06% (20% Perzentil)
The recommended mitigation for CVE-2026-33813 is to upgrade to version 0.39.0 of the golang.org/x/image/webp library. If upgrading is not immediately feasible, consider implementing input validation to restrict the maximum dimensions of WEBP images processed by your application. This can be achieved by checking the image width and height before decoding. Additionally, consider using a Web Application Firewall (WAF) to filter out potentially malicious WEBP images based on file size. After upgrading, confirm the fix by attempting to decode a large WEBP image and verifying that no panic occurs.
Actualice la biblioteca golang.org/x/image/webp a la versión 0.39.0 o superior para evitar el pánico al decodificar imágenes WEBP grandes en plataformas de 32 bits. Esta actualización corrige el manejo de tamaños de imagen potencialmente grandes, previniendo el fallo.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-33813 is a vulnerability in the golang.org/x/image/webp library where processing a malformed WEBP image with a large size can cause a heap panic, leading to a denial-of-service on 32-bit systems.
You are affected if your application uses golang.org/x/image/webp versions 0.0.0 through 0.39.0 and runs on a 32-bit platform.
Upgrade to version 0.39.0 of golang.org/x/image/webp. As a temporary workaround, implement input validation to restrict WEBP image dimensions.
There are currently no publicly known active campaigns exploiting CVE-2026-33813, but the potential for exploitation exists.
Refer to the official Go project security announcements for details: https://go.dev/security
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.