Source: golang-golang-x-image
Version: 0.42.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerabilities were published for golang-golang-x-image.

CVE-2026-46601[0]:
| The webp decoder can panic when processing a VP8 chunk with
| dimensions that do not match the canvas size.


CVE-2026-46602[1]:
| The TIFF decoder does not set a limit on the size of tiles in tiled
| images, permitting a malicious or corrupt image containing a very
| large tile to cause unbounded memory consumption.


CVE-2026-46604[2]:
| The TIFF decoder can panic when decoding an invalid image with an
| out-of-bounds strip offset.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-46601
    https://www.cve.org/CVERecord?id=CVE-2026-46601
[1] https://security-tracker.debian.org/tracker/CVE-2026-46602
    https://www.cve.org/CVERecord?id=CVE-2026-46602
[2] https://security-tracker.debian.org/tracker/CVE-2026-46604
    https://www.cve.org/CVERecord?id=CVE-2026-46604

Regards,
Salvatore

Reply via email to