CVE-2026-34165

go-git: Maliciously crafted idx file can cause asymmetric memory consumption

Assigner: GitHub_M
Reserved: 25.03.2026 Published: 31.03.2026 Updated: 31.03.2026

go-git is an extensible git implementation library written in pure Go. From version 5.0.0 to before version 5.17.1, a vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a denial-of-service (DoS) condition. Exploitation requires write access to the local repository's .git directory, it order to create or alter existing .idx files. This issue has been patched in version 5.17.1.

Metrics

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
CVSS Score: 5

Attack Vector	Local	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	Low	Integrity Impact	None
User Interaction	Required	Availability Impact	High

CVSS 3.1

Product Status

Vendor	go-git
Product	go-git
Versions	Version >= 5.0.0, < 5.17.1 is affected

Vendor

go-git

Product

go-git

Versions

Version >= 5.0.0, < 5.17.1 is affected

References

Problem Types

CWE-191: Integer Underflow (Wrap or Wraparound) CWE
CWE-770: Allocation of Resources Without Limits or Throttling CWE

CVE-2026-34165 PUBLISHED

go-git: Maliciously crafted idx file can cause asymmetric memory consumption

Metrics

Product Status

References

Problem Types