Platform
go
Component
golang.org/x/image/font/sfnt
Fixed in
0.39.0
0.39.0
CVE-2026-33812 describes a memory exhaustion vulnerability discovered in the golang.org/x/image/font/sfnt library, a component used for parsing SFNT (TrueType and OpenType) font files within Go applications. An attacker can trigger this vulnerability by providing a specially crafted malicious font file, leading to excessive memory allocation and potentially a denial-of-service condition. This vulnerability affects versions 0.0.0 through 0.39.0, and a fix is available in version 0.39.0.
The primary impact of CVE-2026-33812 is a denial-of-service (DoS). An attacker who can control the font files processed by applications using the vulnerable golang.org/x/image/font/sfnt library can craft a malicious font that triggers excessive memory allocation. This can exhaust available memory resources on the system, leading to application crashes, system instability, or even complete system unavailability. The severity of the impact depends on the criticality of the affected application and the resources available on the target system. While direct data exfiltration is unlikely, the DoS condition can disrupt services and potentially mask other malicious activities. The vulnerability's reliance on font file parsing means it's most likely to impact applications that render fonts, such as image processing tools, document viewers, or UI frameworks.
CVE-2026-33812 was publicly disclosed on 2026-04-21. There is currently no known public proof-of-concept (PoC) code available. The vulnerability is not listed on the CISA KEV catalog at the time of writing. The EPSS score is pending evaluation, but given the lack of public exploits, the probability of exploitation is currently considered low.
Exploit Status
EPSS
0.01% (2% percentile)
The recommended mitigation for CVE-2026-33812 is to upgrade to version 0.39.0 or later of the golang.org/x/image/font/sfnt library. If upgrading is not immediately feasible, consider implementing input validation on font files before processing them. This could involve checking file sizes, validating font file headers, or using a font validation library to detect potentially malicious fonts. While a WAF or proxy is unlikely to directly mitigate this vulnerability (as it operates at the application layer), implementing strict file type validation at the web server level can prevent malicious font files from reaching the application. Regularly scan dependencies for known vulnerabilities using tools like go mod tidy and vulnerability scanners.
Update the golang.org/x/image/font/sfnt library to version 0.39.0 or higher to mitigate the risk of excessive memory allocation when decoding malicious SFNT fonts. This will prevent potential denial-of-service or security vulnerabilities.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33812 is a vulnerability in the golang.org/x/image/font/sfnt library where parsing malicious font files can cause excessive memory allocation, potentially leading to a denial-of-service.
You are affected if your Go application uses golang.org/x/image/font/sfnt version 0.0.0–0.39.0 and processes font files from untrusted sources.
Upgrade to version 0.39.0 or later of the golang.org/x/image/font/sfnt library. Implement input validation on font files if immediate upgrading is not possible.
There is currently no evidence of active exploitation or publicly available proof-of-concept code.
Refer to the official Go project security announcements for details: https://go.dev/security
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.