ByteOS Network

Vulnerability Details :

CVE-2026-33812

Summary

Assigner-Go

Assigner Org ID-1bb62c36-49e3-4200-9d77-64a1400537cc

Published At-21 Apr, 2026 | 19:21

Updated At-21 Apr, 2026 | 20:43

Excessive memory allocation when decoding malicious SFNT in golang.org/x/image

Parsing a malicious font file can cause excessive memory allocation.

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

▼Common Vulnerabilities and Exposures (CVE)

cve.org

Assigner:Go

Assigner Org ID:1bb62c36-49e3-4200-9d77-64a1400537cc

Published At:21 Apr, 2026 | 19:21

Updated At:21 Apr, 2026 | 20:43

▼CVE Numbering Authority (CNA)

Excessive memory allocation when decoding malicious SFNT in golang.org/x/image

Parsing a malicious font file can cause excessive memory allocation.

Affected Products

Vendor

golang.org/x/image

Product

golang.org/x/image/font/sfnt

Collection URL

https://pkg.go.dev

Package Name

golang.org/x/image/font/sfnt

Program Routines

source.view
Collection.Font
Font.GlyphAdvance
Font.GlyphBounds
Font.GlyphIndex
Font.GlyphName
Font.Kern
Font.LoadGlyph
Font.Name
Font.WriteSourceTo
Parse
ParseCollection
ParseCollectionReaderAt
ParseReaderAt

Default Status

unaffected

Versions

Affected

From 0 before 0.39.0 (semver)

Problem Types

Type	CWE ID	Description
N/A	N/A	CWE-789: Memory Allocation with Excessive Size Value

Type: N/A

CWE ID: N/A

Description: CWE-789: Memory Allocation with Excessive Size Value

Credits

Andy Gill, ZephrSec Ltd

References

Hyperlink	Resource
https://go.dev/cl/761180	N/A
https://go.dev/issue/78382	N/A
https://pkg.go.dev/vuln/GO-2026-4962	N/A

Hyperlink: https://go.dev/cl/761180

Resource: N/A

Hyperlink: https://go.dev/issue/78382

Resource: N/A

Hyperlink: https://pkg.go.dev/vuln/GO-2026-4962

Resource: N/A

▼Authorized Data Publishers (ADP)

CISA ADP Vulnrichment

Metrics

Version	Base score	Base severity	Vector
3.1	6.1	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H

Version: 3.1

Base score: 6.1

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H

Metrics Other Info

▼National Vulnerability Database (NVD)

nvd.nist.gov

Source:security@golang.org

Published At:21 Apr, 2026 | 20:16

Updated At:22 Apr, 2026 | 21:24

Parsing a malicious font file can cause excessive memory allocation.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	6.1	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H

Type: Secondary

Version: 3.1

Base score: 6.1

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H

References

Hyperlink	Source	Resource
https://go.dev/cl/761180	security@golang.org	N/A
https://go.dev/issue/78382	security@golang.org	N/A
https://pkg.go.dev/vuln/GO-2026-4962	security@golang.org	N/A

Hyperlink: https://go.dev/cl/761180

Source: security@golang.org

Resource: N/A

Hyperlink: https://go.dev/issue/78382

Source: security@golang.org

Resource: N/A

Hyperlink: https://pkg.go.dev/vuln/GO-2026-4962

Source: security@golang.org

Resource: N/A

CVE-2026-33812

Credits

Excessive memory allocation when decoding malicious SFNT in golang.org/x/image

Vendors

Products

Metrics (CVSS)

Weaknesses

Attack Patterns

Solution/Workaround

References

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

Stakeholder-Specific Vulnerability Categorization (SSVC)

Affected Products

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

CISA Catalog

Metrics

CPE Matches

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History

Similar CVEs