#1140919 golang-golang-x-image: CVE-2026-46601 CVE-2026-46602 CVE-2026-46604

Package:
src:golang-golang-x-image
Source:
src:golang-golang-x-image
Submitter:
Salvatore Bonaccorso
Date:
2026-06-28 12:07:03 UTC
Severity:
normal
Tags:
#1140919#5
Date:
2026-06-28 12:05:43 UTC
From:
To:
Hi,

The following vulnerabilities were published for golang-golang-x-image.

CVE-2026-46601[0]:
| The webp decoder can panic when processing a VP8 chunk with
| dimensions that do not match the canvas size.


CVE-2026-46602[1]:
| The TIFF decoder does not set a limit on the size of tiles in tiled
| images, permitting a malicious or corrupt image containing a very
| large tile to cause unbounded memory consumption.


CVE-2026-46604[2]:
| The TIFF decoder can panic when decoding an invalid image with an
| out-of-bounds strip offset.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-46601
https://www.cve.org/CVERecord?id=CVE-2026-46601
[1] https://security-tracker.debian.org/tracker/CVE-2026-46602
https://www.cve.org/CVERecord?id=CVE-2026-46602
[2] https://security-tracker.debian.org/tracker/CVE-2026-46604
https://www.cve.org/CVERecord?id=CVE-2026-46604

Regards,
Salvatore