go-git: Maliciously crafted idx file can cause asymmetric memory consumption

5 / 10

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

Description

go-git is an extensible git implementation library written in pure Go. From version 5.0.0 to before version 5.17.1, a vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a denial-of-service (DoS) condition. Exploitation requires write access to the local repository's .git directory, it order to create or alter existing .idx files. This issue has been patched in version 5.17.1.

Basic Information

ID CVE-2026-34165

Source GitHub_M

Published Mar 31, 2026 at 13:46

Modified Apr 2, 2026 at 15:10

Affected Product

Vendor go-git

Product go-git

Version >= 5.0.0, < 5.17.1

Affected Versions go-git go-git >= 5.0.0, < 5.17.1

CWE Classification

CWE-191 CWE-770

References

{
    "lastseen": "",
    "description": "go-git is an extensible git implementation library written in pure Go. From version 5.0.0 to before version 5.17.1, a vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a denial-of-service (DoS) condition. Exploitation requires write access to the local repository's .git directory, it order to create or alter existing .idx files. This issue has been patched in version 5.17.1.",
    "published": "2026-03-31T13:46:37.688Z",
    "modified": "2026-04-02T15:10:17.724Z",
    "type": "cve",
    "title": "go-git: Maliciously crafted idx file can cause asymmetric memory consumption",
    "source": "GitHub_M",
    "references": "https://github.com/go-git/go-git/security/advisories/GHSA-jhf3-xxhw-2wpp\nhttps://github.com/go-git/go-git/releases/tag/v5.17.1",
    "id": "CVE-2026-34165",
    "bulletinFamily": "",
    "cwe": [
        "CWE-191",
        "CWE-770"
    ],
    "cvelist": null,
    "sourceData": "go-git go-git >= 5.0.0, < 5.17.1",
    "sourceHref": "",
    "cvss": {
        "score": 5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "go-git",
    "version": ">= 5.0.0, < 5.17.1",
    "vendor": "go-git",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

go-git: Maliciously crafted idx file can cause asymmetric memory consumption_CVE-2026-34165