{ "threat_severity" : "Moderate", "public_date" : "2026-04-21T19:21:28Z", "bugzilla" : { "description" : "golang.org/x/image: golang: golang.org/x/image: Denial of Service due to excessive memory allocation when parsing malicious font files", "id" : "2460227", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2460227" }, "cvss3" : { "cvss3_base_score" : "6.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H", "status" : "draft" }, "cwe" : "CWE-770", "details" : [ "A flaw was found in golang.org/x/image. A remote attacker could exploit this vulnerability by providing a specially crafted font file. Parsing this malicious file can lead to excessive memory allocation, which may result in a Denial of Service (DoS) for the affected system." ], "statement" : "This has been rated as Moderate impact. The golang.org/x/image package is vulnerable to a denial of service when processing a specially crafted font file. An attacker could exploit this by convincing a user to open a malicious font file, leading to excessive memory allocation and potential system unavailability. This vulnerability requires user interaction, limiting its immediate impact on typical Red Hat deployments.", "package_state" : [ { "product_name" : "Cryostat 4", "fix_state" : "Fix deferred", "package_name" : "cryostat/cryostat-storage-rhel9", "cpe" : "cpe:/a:redhat:cryostat:4" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Fix deferred", "package_name" : "openshift-logging/cluster-logging-rhel9-operator", "cpe" : "cpe:/a:redhat:logging:6" }, { "product_name" : "Multicluster Global Hub", "fix_state" : "Fix deferred", "package_name" : "multicluster-globalhub/multicluster-globalhub-grafana-rhel9", "cpe" : "cpe:/a:redhat:multicluster_globalhub" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Fix deferred", "package_name" : "openshift-serverless-1/kn-plugin-event-sender-rhel9", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "OpenShift Service Mesh 2", "fix_state" : "Fix deferred", "package_name" : "openshift-golang-builder-container", "cpe" : "cpe:/a:redhat:service_mesh:2" }, { "product_name" : "OpenShift Service Mesh 2", "fix_state" : "Fix deferred", "package_name" : "openshift-service-mesh/istio-rhel8-operator", "cpe" : "cpe:/a:redhat:service_mesh:2" }, { "product_name" : "OpenShift Service Mesh 3", "fix_state" : "Fix deferred", "package_name" : "openshift-golang-builder-container", "cpe" : "cpe:/a:redhat:service_mesh:3" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Fix deferred", "package_name" : "rhacm2/acm-grafana-rhel9", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Fix deferred", "package_name" : "rhacm2/volsync-rhel9", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Fix deferred", "package_name" : "ansible-automation-platform/platform-operator-bundle", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Fix deferred", "package_name" : "golang", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "go-toolset:rhel8/golang", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "golang", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux AI (RHEL AI) 3", "fix_state" : "Fix deferred", "package_name" : "golang", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:3" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Fix deferred", "package_name" : "rhoai/odh-model-registry-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Fix deferred", "package_name" : "openshift4/ose-tests-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Fix deferred", "package_name" : "openshift-golang-builder-container", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift GitOps", "fix_state" : "Fix deferred", "package_name" : "openshift-gitops-1/argocd-rhel8", "cpe" : "cpe:/a:redhat:openshift_gitops:1" }, { "product_name" : "Red Hat OpenShift GitOps", "fix_state" : "Fix deferred", "package_name" : "openshift-gitops-1/argocd-rhel9", "cpe" : "cpe:/a:redhat:openshift_gitops:1" }, { "product_name" : "Red Hat OpenShift Virtualization 4", "fix_state" : "Fix deferred", "package_name" : "openshift-golang-builder-container", "cpe" : "cpe:/a:redhat:container_native_virtualization:4" }, { "product_name" : "Red Hat OpenStack Platform 18.0", "fix_state" : "Fix deferred", "package_name" : "rhoso-operators/openstack-operator-bundle", "cpe" : "cpe:/a:redhat:openstack:18.0" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-33812\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33812\nhttps://go.dev/cl/761180\nhttps://go.dev/issue/78382\nhttps://pkg.go.dev/vuln/GO-2026-4962" ], "name" : "CVE-2026-33812", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.", "lang" : "en:us" }, "csaw" : false }