CVE-2026-33813
Published: 21 April 2026
Summary
CVE-2026-33813 is a high-severity an unspecified weakness vulnerability in Golang Image. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 21.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).
Deeper analysis
CVE-2026-33813 affects the Go programming language's WEBP image parsing component. On 32-bit platforms, parsing a WEBP image with an invalid, large size triggers a panic, resulting in denial of service. The vulnerability received a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its potential for high availability impact without requiring privileges or user interaction.
Remote attackers can exploit this vulnerability by providing a specially crafted WEBP image to any network-accessible Go application that processes WEBP files. No authentication is needed, and exploitation leads to an application crash or panic, disrupting service availability on affected 32-bit systems.
The Go vulnerability advisory GO-2026-4961 documents the issue, with a fix submitted in change list https://go.dev/cl/759860 and further details in issue tracker entry https://go.dev/issue/78407. Security practitioners should consult https://pkg.go.dev/vuln/GO-2026-4961 for patching guidance and update affected Go installations accordingly.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-24247
Vulnerability details
Parsing a WEBP image with an invalid, large size panics on 32-bit platforms.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables remote DoS via crafted WEBP input causing application panic/crash on 32-bit systems, directly mapping to application or system exploitation for endpoint denial of service.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the WEBP parsing flaw in Go by applying patches from the official advisory GO-2026-4961.
Validates WEBP image inputs for format correctness and size limits to block malformed images causing parsing panics.
Implements graceful error handling in image parsing to prevent application crashes or panics from invalid WEBP sizes.