Excessive memory allocation when decoding malicious SFNT in golang.org/x/image

The primary impact of CVE-2026-33812 is a denial-of-service (DoS). An attacker who can control the font files processed by applications using the vulnerable golang.org/x/image/font/sfnt library can craft a malicious font that triggers excessive memory allocation. This can exhaust available memory resources on the system, leading to application crashes, system instability, or even complete system unavailability. The severity of the impact depends on the criticality of the affected application and the resources available on the target system. While direct data exfiltration is unlikely, the DoS condition can disrupt services and potentially mask other malicious activities. The vulnerability's reliance on font file parsing means it's most likely to impact applications that render fonts, such as image processing tools, document viewers, or UI frameworks.

Applications written in Go that utilize the golang.org/x/image/font/sfnt library for font parsing are at risk. This includes image processing tools, document viewers, UI frameworks, and any other application that renders fonts. Specifically, projects relying on older versions of the library (0.0.0–0.39.0) are vulnerable, especially those that accept font files from untrusted sources.

• go: Inspect application code for usage of golang.org/x/image/font/sfnt and verify version. Use go list -m golang.org/x/image/font/sfnt to check the version. • go: Monitor memory usage of Go applications that process font files. Unexpected spikes in memory consumption could indicate exploitation. • generic web: If the application serves font files, check access logs for unusual requests for font files from unknown sources.

# Example: Check access logs for requests to font files
grep "/font/" access.log | grep -v "localhost" | sort | uniq -c | sort -nr

1. 2026-04-21Disclosure

   disclosure

1. 予約済み2026-03-23
2. 公開日2026-04-21
3. EPSS 更新日2026-04-29

The recommended mitigation for CVE-2026-33812 is to upgrade to version 0.39.0 or later of the golang.org/x/image/font/sfnt library. If upgrading is not immediately feasible, consider implementing input validation on font files before processing them. This could involve checking file sizes, validating font file headers, or using a font validation library to detect potentially malicious fonts. While a WAF or proxy is unlikely to directly mitigate this vulnerability (as it operates at the application layer), implementing strict file type validation at the web server level can prevent malicious font files from reaching the application. Regularly scan dependencies for known vulnerabilities using tools like go mod tidy and vulnerability scanners.