Source: golang-golang-x-image Version: 0.42.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for golang-golang-x-image. CVE-2026-46601[0]: | The webp decoder can panic when processing a VP8 chunk with | dimensions that do not match the canvas size. CVE-2026-46602[1]: | The TIFF decoder does not set a limit on the size of tiles in tiled | images, permitting a malicious or corrupt image containing a very | large tile to cause unbounded memory consumption. CVE-2026-46604[2]: | The TIFF decoder can panic when decoding an invalid image with an | out-of-bounds strip offset. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-46601 https://www.cve.org/CVERecord?id=CVE-2026-46601 [1] https://security-tracker.debian.org/tracker/CVE-2026-46602 https://www.cve.org/CVERecord?id=CVE-2026-46602 [2] https://security-tracker.debian.org/tracker/CVE-2026-46604 https://www.cve.org/CVERecord?id=CVE-2026-46604 Regards, Salvatore

