{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34165", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-25T20:12:04.197Z", "datePublished": "2026-03-31T13:46:37.688Z", "dateUpdated": "2026-03-31T13:46:37.688Z"}, "containers": {"cna": {"title": "go-git: Maliciously crafted idx file can cause asymmetric memory consumption", "problemTypes": [{"descriptions": [{"cweId": "CWE-191", "lang": "en", "description": "CWE-191: Integer Underflow (Wrap or Wraparound)", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/go-git/go-git/security/advisories/GHSA-jhf3-xxhw-2wpp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/go-git/go-git/security/advisories/GHSA-jhf3-xxhw-2wpp"}, {"name": "https://github.com/go-git/go-git/releases/tag/v5.17.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/go-git/go-git/releases/tag/v5.17.1"}], "affected": [{"vendor": "go-git", "product": "go-git", "versions": [{"version": ">= 5.0.0, < 5.17.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T13:46:37.688Z"}, "descriptions": [{"lang": "en", "value": "go-git is an extensible git implementation library written in pure Go. From version 5.0.0 to before version 5.17.1, a vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a denial-of-service (DoS) condition. Exploitation requires write access to the local repository's .git directory, it order to create or alter existing .idx files. This issue has been patched in version 5.17.1."}], "source": {"advisory": "GHSA-jhf3-xxhw-2wpp", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "go-git is an extensible git implementation library written in pure Go. From version 5.0.0 to before version 5.17.1, a vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a denial-of-service (DoS) condition. Exploitation requires write access to the local repository's .git directory, it order to create or alter existing .idx files. This issue has been patched in version 5.17.1."}], "id": "CVE-2026-34165", "lastModified": "2026-04-01T14:24:02.583", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-31T15:16:17.343", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/go-git/go-git/releases/tag/v5.17.1"}, {"source": "security-advisories@github.com", "url": "https://github.com/go-git/go-git/security/advisories/GHSA-jhf3-xxhw-2wpp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-191"}, {"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.0.0,5.17.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "go-git", "source": "cna", "vendor": "go-git"}, "product": "go-git", "vendor": "go-git"}], "analysis": {"en": {"generated_at": "2026-03-31T15:27:14.691553+00:00", "value": {"mitigation_remediation": ["Upgrade go\u2011git to version 5.17.1 or newer.", "Restrict write permissions on the .git directory to trusted users or processes.", "If an immediate upgrade is not feasible, monitor memory usage of services using go\u2011git and restrict handling of large or suspicious .idx files until a patch is applied."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service through memory exhaustion"}, "threat_synthesis": {"affected_systems": "The affected product is go\u2011git, versions starting from 5.0.0 up to 5.17.0. The issue is fixed in release 5.17.1, so any installation of go\u2011git 5.0.0 through 5.17.0 remains vulnerable.", "description_and_impact": "The vulnerability resides in go\u2011git\u2019s handling of .idx files. A maliciously crafted index file can trigger asymmetric memory consumption, potentially exhausting the process\u2019s available memory. This leads to a denial\u2011of\u2011service condition rather than code execution. The weakness pertains to integer overflows and improper bounds checks, as highlighted by CWE\u2011191 and CWE\u2011770.", "risk_and_exploitability": "The CVSS score of 5 indicates a medium severity. Exploitation requires write access to the local .git directory, so an attacker must have local filesystem or repository modification rights. The bug does not expose remote attack vectors and is not listed in the CISA KEV catalog. While EPSS data is unavailable, the limited attack surface suggests a lower likelihood of widespread exploitation, yet the impact on availability makes it significant for critical deployments."}}}}, "created": "2026-03-31T19:54:40.734024+00:00", "updated": "2026-03-31T20:38:34.686936+00:00", "vendors": ["go-git", "go-git$PRODUCT$go-git"]}