CVE-2026-34165

Aliases:GHSA-jhf3-xxhw-2wppGO-2026-4910
Advisory lineage Upstream: 0 Downstream: 4
Analyzed
Published: 31 Mar 2026, 13:46
Last modified:02 Apr 2026, 15:10

Vulnerability Summary

Overall Risk (default)
low
20/100
CVSS Score
5 MEDIUM
v3.1 (cve.org)
EPSS Score
<0.01% LOW
0% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

31 Mar 2026, 13:46
Published
Vulnerability first disclosed
02 Apr 2026, 15:10
Last Modified
Vulnerability information updated

Description

go-git is an extensible git implementation library written in pure Go. From version 5.0.0 to before version 5.17.1, a vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a denial-of-service (DoS) condition. Exploitation requires write access to the local repository's .git directory, it order to create or alter existing .idx files. This issue has been patched in version 5.17.1.

CVSS Metrics

  • v3.1MEDIUMScore: 5CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 0.01% Percentile: 0%

Techniques & Countermeasures

  • CWE-191Integer Underflow (Wrap or Wraparound)

    The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.

  • CWE-770Allocation of Resources Without Limits or Throttling

    The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Affected Systems

  • go-git_projectgo-git

    ≥ 5.0.0, < 5.17.1

  • go-gitgo-git

    ≥ 5.0.0, < 5.17.1

  • github.com/go-gitgo-git

    all

  • github.com/go-git/go-gitv4

    all

  • github.com/go-git/go-gitv5

    ≥ 5.0.0, < 5.17.1

References (4)