{ "threat_severity" : "Moderate", "public_date" : "2026-03-25T18:24:04Z", "bugzilla" : { "description" : "golang: golang.org/x/image/tiff: golang.org/x/image/tiff: Denial of Service via maliciously crafted TIFF file", "id" : "2451437", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2451437" }, "cvss3" : { "cvss3_base_score" : "6.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "status" : "draft" }, "cwe" : "CWE-1285", "details" : [ "A maliciously crafted TIFF file can cause image decoding to attempt to allocate up 4GiB of memory, causing either excessive resource consumption or an out-of-memory error.", "A flaw was found in golang.org/x/image/tiff. A remote attacker could exploit this vulnerability by providing a maliciously crafted Tagged Image File Format (TIFF) file. This could cause the image decoding process to attempt to allocate up to 4 gigabytes (GiB) of memory. The excessive resource consumption or an out-of-memory error would lead to a Denial of Service (DoS) condition." ], "package_state" : [ { "product_name" : "Cryostat 4", "fix_state" : "Fix deferred", "package_name" : "cryostat/cryostat-storage-rhel9", "cpe" : "cpe:/a:redhat:cryostat:4" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Fix deferred", "package_name" : "openshift-logging/cluster-logging-rhel9-operator", "cpe" : "cpe:/a:redhat:logging:6" }, { "product_name" : "OpenShift Service Mesh 2", "fix_state" : "Fix deferred", "package_name" : "openshift-golang-builder-container", "cpe" : "cpe:/a:redhat:service_mesh:2" }, { "product_name" : "OpenShift Service Mesh 3", "fix_state" : "Fix deferred", "package_name" : "openshift-golang-builder-container", "cpe" : "cpe:/a:redhat:service_mesh:3" }, { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Fix deferred", "package_name" : "golang", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "go-toolset:rhel8/golang", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "golang", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3", "fix_state" : "Fix deferred", "package_name" : "golang", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3" }, { "product_name" : "Red Hat Hardened Images", "fix_state" : "Affected", "package_name" : "golang1.25", "cpe" : "cpe:/a:redhat:hummingbird:1" }, { "product_name" : "Red Hat Hardened Images", "fix_state" : "Affected", "package_name" : "golang1.26", "cpe" : "cpe:/a:redhat:hummingbird:1" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Fix deferred", "package_name" : "openshift4/ose-tests-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Fix deferred", "package_name" : "openshift-golang-builder-container", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Virtualization 4", "fix_state" : "Fix deferred", "package_name" : "openshift-golang-builder-container", "cpe" : "cpe:/a:redhat:container_native_virtualization:4" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-33809\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33809\nhttps://go.dev/cl/757660\nhttps://go.dev/issue/78267\nhttps://pkg.go.dev/vuln/GO-2026-4815" ], "name" : "CVE-2026-33809", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }