{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33812", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2026-03-23T20:35:32.814Z", "datePublished": "2026-04-21T19:21:28.556Z", "dateUpdated": "2026-04-21T20:43:11.915Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-04-21T19:21:28.556Z"}, "title": "Excessive memory allocation when decoding malicious SFNT in golang.org/x/image", "descriptions": [{"lang": "en", "value": "Parsing a malicious font file can cause excessive memory allocation."}], "affected": [{"vendor": "golang.org/x/image", "product": "golang.org/x/image/font/sfnt", "collectionURL": "https://pkg.go.dev", "packageName": "golang.org/x/image/font/sfnt", "versions": [{"version": "0", "lessThan": "0.39.0", "status": "affected", "versionType": "semver"}], "programRoutines": [{"name": "source.view"}, {"name": "Collection.Font"}, {"name": "Font.GlyphAdvance"}, {"name": "Font.GlyphBounds"}, {"name": "Font.GlyphIndex"}, {"name": "Font.GlyphName"}, {"name": "Font.Kern"}, {"name": "Font.LoadGlyph"}, {"name": "Font.Name"}, {"name": "Font.WriteSourceTo"}, {"name": "Parse"}, {"name": "ParseCollection"}, {"name": "ParseCollectionReaderAt"}, {"name": "ParseReaderAt"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-789: Memory Allocation with Excessive Size Value"}]}], "references": [{"url": "https://go.dev/cl/761180"}, {"url": "https://go.dev/issue/78382"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4962"}], "credits": [{"lang": "en", "value": "Andy Gill, ZephrSec Ltd"}]}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T20:43:08.370574Z", "id": "CVE-2026-33812", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T20:43:11.915Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-33812", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T20:43:08.370574Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T20:43:03.869Z"}}], "cna": {"title": "Excessive memory allocation when decoding malicious SFNT in golang.org/x/image", "credits": [{"lang": "en", "value": "Andy Gill, ZephrSec Ltd"}], "affected": [{"vendor": "golang.org/x/image", "product": "golang.org/x/image/font/sfnt", "versions": [{"status": "affected", "version": "0", "lessThan": "0.39.0", "versionType": "semver"}], "packageName": "golang.org/x/image/font/sfnt", "collectionURL": "https://pkg.go.dev", "defaultStatus": "unaffected", "programRoutines": [{"name": "source.view"}, {"name": "Collection.Font"}, {"name": "Font.GlyphAdvance"}, {"name": "Font.GlyphBounds"}, {"name": "Font.GlyphIndex"}, {"name": "Font.GlyphName"}, {"name": "Font.Kern"}, {"name": "Font.LoadGlyph"}, {"name": "Font.Name"}, {"name": "Font.WriteSourceTo"}, {"name": "Parse"}, {"name": "ParseCollection"}, {"name": "ParseCollectionReaderAt"}, {"name": "ParseReaderAt"}]}], "references": [{"url": "https://go.dev/cl/761180"}, {"url": "https://go.dev/issue/78382"}, {"url": "https://pkg.go.dev/vuln/GO-2026-4962"}], "descriptions": [{"lang": "en", "value": "Parsing a malicious font file can cause excessive memory allocation."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-789: Memory Allocation with Excessive Size Value"}]}], "providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2026-04-21T19:21:28.556Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33812", "state": "PUBLISHED", "dateUpdated": "2026-04-21T20:43:11.915Z", "dateReserved": "2026-03-23T20:35:32.814Z", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "datePublished": "2026-04-21T19:21:28.556Z", "assignerShortName": "Go"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Parsing a malicious font file can cause excessive memory allocation."}], "id": "CVE-2026-33812", "lastModified": "2026-04-21T21:16:29.843", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 4.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-21T20:16:56.290", "references": [{"source": "security@golang.org", "url": "https://go.dev/cl/761180"}, {"source": "security@golang.org", "url": "https://go.dev/issue/78382"}, {"source": "security@golang.org", "url": "https://pkg.go.dev/vuln/GO-2026-4962"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Received"}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T05:29:26.076516+00:00", "value": {"mitigation_remediation": ["Check golang.org/x/image for updates or newer releases that address memory\u2011allocation issues", "Validate or sanitize any font files before passing to the SFNT parser, rejecting files that exceed size thresholds", "Configure Go runtime memory limits or use cgroups to constrain the memory available to the process so that a memory\u2011exhaustion attempt cannot crash the host"], "summary": {"action": "Monitor", "impact": "Denial of Service via memory exhaustion"}, "threat_synthesis": {"affected_systems": "The vulnerability affects any application that imports and uses the golang.org/x/image/font/sfnt package, including all versions of the golang.org/x/image library prior to a patch, regardless of the Go runtime version. No specific product versions are listed in the CNA data, so all unpatched instances are potentially impacted.", "description_and_impact": "Parsing a malicious SFNT font file triggers an excessive memory allocation in the golang.org/x/image/font/sfnt package. The flaw can cause the process to consume large amounts of memory, potentially exhausting system resources and leading to a denial of service. The weakness is a form of uncontrolled resource consumption (CWE-400).", "risk_and_exploitability": "The CVSS score of 6.1 indicates moderate severity. EPSS information is not available, so the current exploitation probability cannot be quantified. The flaw is not listed in CISA\u2019s Known Exploited Vulnerabilities catalog, suggesting no publicly known exploits yet. The likely attack vector involves an attacker providing a specially crafted font file to an application that processes fonts; this is inferred because the vulnerability is triggered during font parsing."}}}}, "created": "2026-04-22T05:30:09.560673+00:00", "updated": "2026-04-22T05:30:09.560689+00:00", "vendors": []}