CVE-2022-41727 — Denial of service via crafted TIFF image in golang.org/x/image/tiff

Description

An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This could lead to a denial of service.

How to fix CVE-2022-41727

To remediate CVE-2022-41727, upgrade the affected package to a fixed version below.

Debian/golang-golang-x-image—no fix listed
—upgrade to 0.5.0 or later
—upgrade to 0.5.0 or later

Is CVE-2022-41727 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0
from 0, < 0.5.0
from 0, < 0.5.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.5	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-41727
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2022-41727
WEBgo.dev/cl/468195
WEBgo.dev/issue/58003
WEBgroups.google.com/g/golang-announce/c/ag-FiyjlD5o