{"uuid": "7fb7856b-195d-416d-aa90-43f46747892a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-46599", "type": "seen", "source": "https://gist.github.com/alon710/b509de249400d70367353eccad7c34f4", "content": "# CVE-2026-46599: CVE-2026-46599: Unrestricted Memory Allocation in golang.org/x/image/tiff PackBits Decoder\n\n&gt; **CVSS Score:** 7.5\n&gt; **Published:** 2026-07-02\n&gt; **Full Report:** https://cvereports.com/reports/CVE-2026-46599\n\n## Summary\nCVE-2026-46599 (also identified by Go vulnerability alias GO-2026-5032) is a high-severity denial-of-service vulnerability in the Go image repository, specifically within the TIFF decoder's PackBits decompression engine. A lack of resource limits during the parsing of Run-Length Encoded PackBits streams allows an attacker to construct a crafted TIFF image that achieves significant decompression amplification. This flaw enables an unauthenticated remote attacker to exhaust system resources, leading to an Out-of-Memory crash or a prolonged application hang.\n\n## TL;DR\nUnrestricted PackBits decompression in golang.org/x/image/tiff allows unauthenticated remote attackers to trigger denial of service via memory exhaustion using a crafted 2MB TIFF image that decompresses to 745MB.\n\n## Technical Details\n\n- **CWE ID**: CWE-770 (Allocation of Resources Without Limits or Throttling)\n- **Attack Vector**: Network (AV:N)\n- **CVSS Score**: 7.5 (High)\n- **EPSS Score**: 0.00353\n- **EPSS Percentile**: 27.35%\n- **Exploit Status**: No public functional exploit code (None/PoC-only)\n- **KEV Status**: Not in CISA's Known Exploited Vulnerabilities (KEV) catalog\n\n## Affected Systems\n\n- Go ecosystem applications using golang.org/x/image/tiff\n- Tailscale clients and mesh components\n- Rclone cloud storage utilities\n- Gitea self-hosted Git services\n- Kubescape CLI scanner\n- Echo web framework-driven backend services parsing multipart image structures\n- **golang.org/x/image/tiff**: &lt; v0.41.0 (Fixed in: `v0.41.0`)\n\n## Mitigation\n\n- Upgrade golang.org/x/image to v0.41.0 or higher\n- Implement application-level file validation to block TIFF files\n- Enforce strict HTTP request body size limits\n- Rebuild and redeploy all statically compiled Go binaries\n\n**Remediation Steps:**\n1. Navigate to the Go module directory\n2. Execute 'go get golang.org/x/image@v0.41.0'\n3. Run 'go mod tidy' to update go.sum\n4. Recompile application binaries with 'go build'\n5. Deploy the updated executable to production environments\n\n## References\n\n- [NVD Record for CVE-2026-46599](https://nvd.nist.gov/vuln/detail/CVE-2026-46599)\n- [CVE.org Authority Record](https://www.cve.org/CVERecord?id=CVE-2026-46599)\n- [Go Vulnerability Database Entry](https://pkg.go.dev/vuln/GO-2026-5032)\n- [Go Issue Tracker Thread](https://go.dev/issue/79577)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-46599) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-06T08:02:31.782633Z"}