{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-46601", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2026-05-15T17:35:00.814Z", "datePublished": "2026-06-25T19:47:21.500Z", "dateUpdated": "2026-06-26T16:09:18.573Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-06-25T19:47:21.500Z"}, "title": "Panic on VP8 alpha channel size mismatch in x/image/webp in golang.org/x/image", "descriptions": [{"lang": "en", "value": "The webp decoder can panic when processing a VP8 chunk with dimensions that do not match the canvas size."}], "affected": [{"vendor": "golang.org/x/image", "product": "golang.org/x/image/webp", "collectionURL": "https://pkg.go.dev", "packageName": "golang.org/x/image/webp", "versions": [{"version": "0", "lessThan": "0.43.0", "status": "affected", "versionType": "semver"}], "programRoutines": [{"name": "decode"}, {"name": "Decode"}, {"name": "DecodeConfig"}], "defaultStatus": "unaffected"}, {"vendor": "golang.org/x/image", "product": "golang.org/x/image/webp", "collectionURL": "https://pkg.go.dev", "packageName": "golang.org/x/image/webp", "versions": [{"version": "0", "lessThan": "0.43.0", "status": "affected", "versionType": "semver"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-125: Out-of-bounds Read"}]}], "references": [{"url": "https://go.dev/cl/787681"}, {"url": "https://go.dev/issue/79869"}, {"url": "https://pkg.go.dev/vuln/GO-2026-5061"}], "credits": [{"lang": "en", "value": "Lucas Futures (GitHub: gn00295120)"}]}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-06-26T16:08:56.631719Z", "id": "CVE-2026-46601", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-26T16:09:18.573Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-46601", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-26T16:08:56.631719Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-26T16:09:13.233Z"}}], "cna": {"title": "Panic on VP8 alpha channel size mismatch in x/image/webp in golang.org/x/image", "credits": [{"lang": "en", "value": "Lucas Futures (GitHub: gn00295120)"}], "affected": [{"vendor": "golang.org/x/image", "product": "golang.org/x/image/webp", "versions": [{"status": "affected", "version": "0", "lessThan": "0.43.0", "versionType": "semver"}], "packageName": "golang.org/x/image/webp", "collectionURL": "https://pkg.go.dev", "defaultStatus": "unaffected", "programRoutines": [{"name": "decode"}, {"name": "Decode"}, {"name": "DecodeConfig"}]}, {"vendor": "golang.org/x/image", "product": "golang.org/x/image/webp", "versions": [{"status": "affected", "version": "0", "lessThan": "0.43.0", "versionType": "semver"}], "packageName": "golang.org/x/image/webp", "collectionURL": "https://pkg.go.dev", "defaultStatus": "unaffected"}], "references": [{"url": "https://go.dev/cl/787681"}, {"url": "https://go.dev/issue/79869"}, {"url": "https://pkg.go.dev/vuln/GO-2026-5061"}], "descriptions": [{"lang": "en", "value": "The webp decoder can panic when processing a VP8 chunk with dimensions that do not match the canvas size."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-125: Out-of-bounds Read"}]}], "providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-06-25T19:47:21.500Z"}}}, "cveMetadata": {"cveId": "CVE-2026-46601", "state": "PUBLISHED", "dateUpdated": "2026-06-26T16:09:18.573Z", "dateReserved": "2026-05-15T17:35:00.814Z", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "datePublished": "2026-06-25T19:47:21.500Z", "assignerShortName": "Go"}, "dataVersion": "5.2"}

{}

{"bugzilla": {"description": "golang.org/x/image/webp: golang.org/x/image/webp: Denial of Service via malformed VP8 chunk in WebP images", "id": "2493152", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2493152"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-1288", "details": ["The webp decoder can panic when processing a VP8 chunk with dimensions that do not match the canvas size.", "A flaw was found in the `golang.org/x/image/webp` library's WebP decoder. A remote attacker could exploit this vulnerability by providing a specially crafted WebP image containing a VP8 chunk with mismatched dimensions. This could cause the decoder to panic, leading to a denial of service (DoS) for applications processing such images."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-46601", "package_state": [{"cpe": "cpe:/a:redhat:cryostat:4", "fix_state": "Not affected", "package_name": "cryostat/cryostat-storage-rhel9", "product_name": "Cryostat 4"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/volsync-rhel9", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}], "public_date": "2026-06-25T19:47:21Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-46601\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-46601\nhttps://go.dev/cl/787681\nhttps://go.dev/issue/79869\nhttps://pkg.go.dev/vuln/GO-2026-5061"], "statement": "Red Hat products are not affected by this vulnerability. The vulnerable WebP decoder in golang.org/x/image/webp is present as a transitive dependency but is never imported or called by any affected product. VolSync is a storage replication operator and Cryostat Storage is an object storage backend \u2014 neither processes WebP images.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.43.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "golang.org/x/image/webp", "source": "cna", "vendor": "golang.org/x/image"}, "product": "image", "vendor": "golang"}], "created": "2026-06-25T22:15:04.737877+00:00", "updated": "2026-06-26T20:00:05.444604+00:00", "vendors": ["golang", "golang$PRODUCT$image"], "weaknesses": ["CWE-20"]}