{"api_version":"1","generated_at":"2026-05-31T23:42:58+00:00","cve":"CVE-2026-46599","urls":{"html":"https://cve.report/CVE-2026-46599","api":"https://cve.report/api/cve/CVE-2026-46599.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-46599","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-46599"},"summary":{"title":"Excessive resource consumption in PackBits decompression in golang.org/x/image/tiff","description":"The TIFF decoder does not place a limit on the size of PackBits-compressed data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height and encoded size) to make the decoder decode large amounts of compressed data.","state":"PUBLISHED","assigner":"Go","published_at":"2026-05-29 20:16:28","updated_at":"2026-05-29 20:16:28"},"problem_types":["CWE-770: Allocation of Resources Without Limits or Throttling"],"metrics":[],"references":[{"url":"https://go.dev/cl/759960","name":"https://go.dev/cl/759960","refsource":"security@golang.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://go.dev/issue/79577","name":"https://go.dev/issue/79577","refsource":"security@golang.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://pkg.go.dev/vuln/GO-2026-5032","name":"https://pkg.go.dev/vuln/GO-2026-5032","refsource":"security@golang.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://groups.google.com/g/golang-announce/c/uhYX90BlBvI","name":"https://groups.google.com/g/golang-announce/c/uhYX90BlBvI","refsource":"security@golang.org","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-46599","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46599","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"golang.org/x/image","product":"golang.org/x/image/tiff","version":"affected 0.41.0 semver","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Uuganbayar Lkhamsuren","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"46599","cve":"CVE-2026-46599","epss":"0.000180000","percentile":"0.049330000","score_date":"2026-05-30","updated_at":"2026-05-31 00:14:02"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"collectionURL":"https://pkg.go.dev","defaultStatus":"unaffected","packageName":"golang.org/x/image/tiff","product":"golang.org/x/image/tiff","programRoutines":[{"name":"unpackBits"},{"name":"Decode"}],"vendor":"golang.org/x/image","versions":[{"lessThan":"0.41.0","status":"affected","version":"0","versionType":"semver"}]}],"credits":[{"lang":"en","value":"Uuganbayar Lkhamsuren"}],"descriptions":[{"lang":"en","value":"The TIFF decoder does not place a limit on the size of PackBits-compressed data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height and encoded size) to make the decoder decode large amounts of compressed data."}],"problemTypes":[{"descriptions":[{"description":"CWE-770: Allocation of Resources Without Limits or Throttling","lang":"en"}]}],"providerMetadata":{"dateUpdated":"2026-05-29T19:35:33.539Z","orgId":"1bb62c36-49e3-4200-9d77-64a1400537cc","shortName":"Go"},"references":[{"url":"https://go.dev/issue/79577"},{"url":"https://go.dev/cl/759960"},{"url":"https://groups.google.com/g/golang-announce/c/uhYX90BlBvI"},{"url":"https://pkg.go.dev/vuln/GO-2026-5032"}],"title":"Excessive resource consumption in PackBits decompression in golang.org/x/image/tiff"}},"cveMetadata":{"assignerOrgId":"1bb62c36-49e3-4200-9d77-64a1400537cc","assignerShortName":"Go","cveId":"CVE-2026-46599","datePublished":"2026-05-29T19:35:33.539Z","dateReserved":"2026-05-15T17:35:00.813Z","dateUpdated":"2026-05-29T19:35:33.539Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-29 20:16:28","lastModifiedDate":"2026-05-29 20:16:28","problem_types":["CWE-770: Allocation of Resources Without Limits or Throttling"],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"46599","Ordinal":"1","Title":"Excessive resource consumption in PackBits decompression in gola","CVE":"CVE-2026-46599","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"46599","Ordinal":"1","NoteData":"The TIFF decoder does not place a limit on the size of PackBits-compressed data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height and encoded size) to make the decoder decode large amounts of compressed data.","Type":"Description","Title":"Excessive resource consumption in PackBits decompression in gola"}]}}}