Plataforma
go
Componente
golang.org/x/image/webp
Corrigido em
0.39.0
0.39.0
This vulnerability, CVE-2026-33813, involves a heap panic within the golang.org/x/image/webp library. An attacker can trigger this panic by providing a specially crafted WEBP image with an excessively large size. This results in a crash on 32-bit platforms, potentially leading to a denial-of-service condition. Affected versions include 0.0.0 through 0.39.0; the vulnerability is resolved in version 0.39.0.
The primary impact of CVE-2026-33813 is a denial-of-service (DoS). An attacker could exploit this by sending a malicious WEBP image to an application that utilizes the golang.org/x/image/webp library for image processing. The large size of the image triggers a heap panic, causing the application to crash. This is particularly concerning on 32-bit systems where memory resources are more constrained, making them more susceptible to this type of exploitation. The blast radius is limited to the affected application instance; however, repeated attacks could disrupt service availability. While no direct data exfiltration is possible, the DoS can be used as a distraction for other malicious activities.
CVE-2026-33813 is not currently listed on KEV or EPSS. The probability of exploitation is considered low due to the need for a crafted WEBP image and the vulnerability's specific impact on 32-bit systems. No public proof-of-concept (POC) code has been publicly disclosed as of the publication date. The vulnerability was published on 2026-04-21.
Status do Exploit
EPSS
0.06% (percentil 20%)
The recommended mitigation for CVE-2026-33813 is to upgrade to version 0.39.0 of the golang.org/x/image/webp library. If upgrading is not immediately feasible, consider implementing input validation to restrict the maximum dimensions of WEBP images processed by your application. This can be achieved by checking the image width and height before decoding. Additionally, consider using a Web Application Firewall (WAF) to filter out potentially malicious WEBP images based on file size. After upgrading, confirm the fix by attempting to decode a large WEBP image and verifying that no panic occurs.
Actualice la biblioteca golang.org/x/image/webp a la versión 0.39.0 o superior para evitar el pánico al decodificar imágenes WEBP grandes en plataformas de 32 bits. Esta actualización corrige el manejo de tamaños de imagen potencialmente grandes, previniendo el fallo.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-33813 is a vulnerability in the golang.org/x/image/webp library where processing a malformed WEBP image with a large size can cause a heap panic, leading to a denial-of-service on 32-bit systems.
You are affected if your application uses golang.org/x/image/webp versions 0.0.0 through 0.39.0 and runs on a 32-bit platform.
Upgrade to version 0.39.0 of golang.org/x/image/webp. As a temporary workaround, implement input validation to restrict WEBP image dimensions.
There are currently no publicly known active campaigns exploiting CVE-2026-33813, but the potential for exploitation exists.
Refer to the official Go project security announcements for details: https://go.dev/security
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo go.mod e descubra na hora se você está afetado.