Cyber Resilience

CVE-2026-33813

HighUpdated

Published: 21 April 2026

Published
21 April 2026
Modified
13 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0007 21.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33813 is a high-severity an unspecified weakness vulnerability in Golang Image. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 21.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).

Deeper analysis

CVE-2026-33813 affects the Go programming language's WEBP image parsing component. On 32-bit platforms, parsing a WEBP image with an invalid, large size triggers a panic, resulting in denial of service. The vulnerability received a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its potential for high availability impact without requiring privileges or user interaction.

Remote attackers can exploit this vulnerability by providing a specially crafted WEBP image to any network-accessible Go application that processes WEBP files. No authentication is needed, and exploitation leads to an application crash or panic, disrupting service availability on affected 32-bit systems.

The Go vulnerability advisory GO-2026-4961 documents the issue, with a fix submitted in change list https://go.dev/cl/759860 and further details in issue tracker entry https://go.dev/issue/78407. Security practitioners should consult https://pkg.go.dev/vuln/GO-2026-4961 for patching guidance and update affected Go installations accordingly.

EU & UK References

Vulnerability details

Parsing a WEBP image with an invalid, large size panics on 32-bit platforms.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Vulnerability enables remote DoS via crafted WEBP input causing application panic/crash on 32-bit systems, directly mapping to application or system exploitation for endpoint denial of service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-32283Same vendor: Golang
CVE-2026-25679Same vendor: Golang
CVE-2026-32281Same vendor: Golang
CVE-2026-27137Same vendor: Golang
CVE-2026-32280Same vendor: Golang
CVE-2025-61726Same vendor: Golang
CVE-2026-33810Same vendor: Golang
CVE-2026-27143Same vendor: Golang
CVE-2026-27140Same vendor: Golang
CVE-2025-68121Same vendor: Golang

Affected Assets

golang
image
≤ 0.39.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the WEBP parsing flaw in Go by applying patches from the official advisory GO-2026-4961.

prevent

Validates WEBP image inputs for format correctness and size limits to block malformed images causing parsing panics.

prevent

Implements graceful error handling in image parsing to prevent application crashes or panics from invalid WEBP sizes.

References