fix(deps): update module golang.org/x/image to v0.41.0 [security]

[oep-renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
golang.org/x/image	v0.18.0 → v0.41.0

---

Go Images vulnerable to an out-of-memory error via a crafted TIFF file

CVE-2026-33809 / GHSA-44p7-9xx4-hf2g

More information

Details

A maliciously crafted TIFF file can cause image decoding to attempt to allocate up 4GiB of memory, causing either excessive resource consumption or an out-of-memory error.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-33809
• https://go.dev/cl/757660
• https://go.dev/issue/78267
• https://pkg.go.dev/vuln/GO-2026-4815
• https://github.com/advisories/GHSA-44p7-9xx4-hf2g

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Go Images vulnerable to an out-of-memory error via a crafted TIFF file

CVE-2026-33809 / GHSA-44p7-9xx4-hf2g / GO-2026-4815

More information

Details

A maliciously crafted TIFF file can cause image decoding to attempt to allocate up 4GiB of memory, causing either excessive resource consumption or an out-of-memory error.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-33809
• https://cs.opensource.google/go/x/image
• https://go.dev/cl/757660
• https://go.dev/issue/78267
• https://pkg.go.dev/vuln/GO-2026-4815

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

OOM from malicious IFD offset in golang.org/x/image/tiff

CVE-2026-33809 / GHSA-44p7-9xx4-hf2g / GO-2026-4815

More information

Details

A maliciously crafted TIFF file can cause image decoding to attempt to allocate up 4GiB of memory, causing either excessive resource consumption or an out-of-memory error.

Severity

Unknown

References

• https://go.dev/cl/757660
• https://go.dev/issue/78267

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Panic when decoding large WEBP image on 32-bit platforms in golang.org/x/image

CVE-2026-33813 / GO-2026-4961

More information

Details

Parsing a WEBP image with an invalid, large size panics on 32-bit platforms.

Severity

Unknown

References

• https://go.dev/cl/759860
• https://go.dev/issue/78407

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Excessive memory allocation when decoding malicious SFNT in golang.org/x/image

CVE-2026-33812 / GO-2026-4962

More information

Details

Parsing a malicious font file can cause excessive memory allocation.

Severity

Unknown

References

• https://go.dev/cl/761180
• https://go.dev/issue/78382

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Panic when reading out of bound palette index in golang.org/x/image/bmp

CVE-2026-42500 / GO-2026-5031

More information

Details

Decoding a paletted BMP file with an out-of-range palette index results in a panic when accessing pixels in the invalid image.

Severity

Unknown

References

• https://go.dev/issue/79576
• https://groups.google.com/g/golang-announce/c/uhYX90BlBvI
• https://go.dev/cl/781500

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Excessive resource consumption in PackBits decompression in golang.org/x/image/tiff

CVE-2026-46599 / GO-2026-5032

More information

Details

The TIFF decoder does not place a limit on the size of PackBits-compressed data. A maliciously-crafted image can exploit this to cause a small image (both in terms of pixel width/height and encoded size) to make the decoder decode large amounts of compressed data.

Severity

Unknown

References

• https://go.dev/issue/79577
• https://go.dev/cl/759960
• https://groups.google.com/g/golang-announce/c/uhYX90BlBvI

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

[oep-renovate]

ℹ️ Artifact update notice

File name: interactive_ai/services/media/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 1 additional dependency was updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.24.0 -> 1.25.0
golang.org/x/text	v0.32.0 -> v0.37.0

[oep-renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.