Skip to main content

Red Hat CVE-2026-34165

MEDIUM
Integer Underflow (CWE-191)
2026-03-30 https://github.com/go-git/go-git GHSA-jhf3-xxhw-2wpp
5.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.0 MEDIUM
AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
SUSE
3.1 LOW
AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Red Hat
5.0 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 30, 2026 - 17:36 vuln.today
CVE Published
Mar 30, 2026 - 17:17 nvd
MEDIUM 5.0

DescriptionGitHub Advisory

Impact

A vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a Denial of Service (DoS) condition.

Exploitation requires write access to the local repository's .git directory, it order to create or alter existing .idx files.

Patches

Users should upgrade to v5.17.1, or the latest v6 pseudo-version, in order to mitigate this vulnerability.

Credit

The go-git maintainers thank @kq5y for finding and reporting this issue privately to the go-git project.

AnalysisAI

Maliciously crafted .idx files in go-git v5 cause asymmetric memory consumption leading to Denial of Service through integer overflow vulnerabilities. Exploitation requires local write access to the .git directory, limiting attack surface to scenarios where an attacker has already compromised repository access or can inject files into a shared repository. No public exploit code or active exploitation has been confirmed; however, the low CVSS complexity and requirement for only low-privilege local access make this a moderate operational concern for development environments and CI/CD systems that process untrusted repositories.

Technical ContextAI

The vulnerability exists in go-git (github.com/go-git/go-git), a pure Go implementation of Git that lacks bindings to platform-specific code. The root cause is an integer overflow condition (CWE-191) triggered by maliciously formatted Git index (.idx) files. Git index files contain metadata about staged objects and are parsed during repository operations. The integer overflow causes memory allocation calculations to wrap, resulting in undersized buffer allocation followed by excessive write operations that exhaust heap memory. This is a parsing-layer vulnerability in the go-git library's index file handler, affecting any application that uses go-git v5 to interact with Git repositories without validating index file integrity.

RemediationAI

Vendor-released patch: Upgrade go-git to v5.17.1 or migrate to the latest v6 pseudo-version. For Go module-based projects, execute go get -u github.com/go-git/go-git/v5@v5.17.1 or transition to v6 via go get -u github.com/go-git/go-git/v6@latest. If immediate patching is not feasible, restrict write access to .git directories in shared development or CI/CD environments and validate repository sources before processing. See the official advisory at https://github.com/go-git/go-git/security/advisories/GHSA-jhf3-xxhw-2wpp for additional context.

Vendor StatusVendor

SUSE

Severity: Low
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-34165 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy