CVE-2026-42500

medium

Published 2026-05-29 · Modified 2026-06-01

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

5.3

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS v4 NEW

—

not yet in upstream

VIR risk

5.3

Description

Decoding a paletted BMP file with an out-of-range palette index results in a panic when accessing pixels in the invalid image.

Predictions

Exploit likelihood

63%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Debian Security Tracker · View original ↗ · DFSG

CVE-2026-42500 NameCVE-2026-42500 DescriptionDecoding a paletted BMP file with an out-of-range palette index results in a panic when accessing pixels in the invalid image. SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) Debian Bugs1138257 Vulnerable and fixed packages The table below…

CVE-2026-42500

Name	CVE-2026-42500
Description	Decoding a paletted BMP file with an out-of-range palette index results in a panic when accessing pixels in the invalid image.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	1138257

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
golang-golang-x-image (PTS)	bullseye	0.0~git20200119.58c2397-1	vulnerable
	bookworm	0.5.0-1	vulnerable
	trixie	0.18.0-1	vulnerable
	forky, sid	0.39.0-1	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
golang-golang-x-image	source	(unstable)	(unfixed)			1138257

Notes

https://github.com/golang/go/issues/79576
https://go-review.googlesource.com/c/image/+/781500

Home - Debian Security - Source (Git)

Apply commands

text fix

Notes

https://github.com/golang/go/issues/79576https://go-review.googlesource.com/c/image/+/781500

OS impact

Debian Affected 5 releases

Version	Status	Fixed in
trixie	Affected	—
sid	Affected	—
forky	Affected	—
bullseye	Affected	—
bookworm	Affected	—

Package impact

Ecosystem	Package	Vulnerable	Fixed
Go	golang.org/x/image	`<0.41.0`	`0.41.0`

References

CWEs

CWE-129:

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.