Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
Index out-of-range when encountering a branch page with zero elements in go.etcd.io/bbolt
AnalysisAI
Index out-of-bounds read in go.etcd.io/bbolt allows local unauthenticated attackers to cause a denial of service by crafting a malicious database file with a branch page containing zero elements, triggering a crash during cursor traversal. The vulnerability affects all versions of the library and has been patched upstream; no public exploit code or active exploitation has been reported.
Technical ContextAI
go.etcd.io/bbolt is a pure Go key-value store library implementing an embedded B+tree structure for transactional data storage, commonly used in Go applications requiring local persistence. The root cause is a classic buffer over-read (CWE-125: Out-of-bounds Read) occurring during branch page traversal when the cursor attempts to access array indices without validating that the branch page contains at least one element. The vulnerability manifests in the pagination logic where a branch page with zero child pointers is accessed as if it contained valid entries, leading to memory access beyond allocated bounds and triggering a panic in the Go runtime.
RemediationAI
Update go.etcd.io/bbolt to a version incorporating commit 386d5b69785937d1aa20cb25c8439404cf398143 from PR #1171 (exact stable version number should be confirmed via github.com/etcd-io/bbolt releases or pkg.go.dev/vuln/GO-2026-4923). Applications should rebuild and redeploy with the patched dependency. As an interim measure, applications should avoid opening bbolt database files from untrusted sources and implement external validation or sandboxing when processing user-supplied or externally-derived database files. Verify the fix via the Go vulnerability database at pkg.go.dev/vuln/GO-2026-4923.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19406
GHSA-6jwv-w5xf-7j27