Red Hat CVE-2026-34165
MEDIUMSeverity by source
AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact
A vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a Denial of Service (DoS) condition.
Exploitation requires write access to the local repository's .git directory, it order to create or alter existing .idx files.
Patches
Users should upgrade to v5.17.1, or the latest v6 pseudo-version, in order to mitigate this vulnerability.
Credit
The go-git maintainers thank @kq5y for finding and reporting this issue privately to the go-git project.
AnalysisAI
Maliciously crafted .idx files in go-git v5 cause asymmetric memory consumption leading to Denial of Service through integer overflow vulnerabilities. Exploitation requires local write access to the .git directory, limiting attack surface to scenarios where an attacker has already compromised repository access or can inject files into a shared repository. No public exploit code or active exploitation has been confirmed; however, the low CVSS complexity and requirement for only low-privilege local access make this a moderate operational concern for development environments and CI/CD systems that process untrusted repositories.
Technical ContextAI
The vulnerability exists in go-git (github.com/go-git/go-git), a pure Go implementation of Git that lacks bindings to platform-specific code. The root cause is an integer overflow condition (CWE-191) triggered by maliciously formatted Git index (.idx) files. Git index files contain metadata about staged objects and are parsed during repository operations. The integer overflow causes memory allocation calculations to wrap, resulting in undersized buffer allocation followed by excessive write operations that exhaust heap memory. This is a parsing-layer vulnerability in the go-git library's index file handler, affecting any application that uses go-git v5 to interact with Git repositories without validating index file integrity.
RemediationAI
Vendor-released patch: Upgrade go-git to v5.17.1 or migrate to the latest v6 pseudo-version. For Go module-based projects, execute go get -u github.com/go-git/go-git/v5@v5.17.1 or transition to v6 via go get -u github.com/go-git/go-git/v6@latest. If immediate patching is not feasible, restrict write access to .git directories in shared development or CI/CD environments and validate repository sources before processing. See the official advisory at https://github.com/go-git/go-git/security/advisories/GHSA-jhf3-xxhw-2wpp for additional context.
Same weakness CWE-191 – Integer Underflow
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: Low| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-jhf3-xxhw-2wpp