CVE-2026-34165
MEDIUM
GHSA-jhf3-xxhw-2wpp
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Description
### Impact A vulnerability has been identified in which a maliciously crafted `.idx` file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a Denial of Service (DoS) condition. Exploitation requires write access to the local repository's `.git` directory, it order to create or alter existing `.idx` files. ### Patches Users should upgrade to `v5.17.1`, or the latest `v6` [pseudo-version](https://go.dev/ref/mod#pseudo-versions), in order to mitigate this vulnerability. ### Credit The go-git maintainers thank @kq5y for finding and reporting this issue privately to the `go-git` project.
Analysis
Maliciously crafted `.idx` files in go-git v5 cause asymmetric memory consumption leading to Denial of Service through integer overflow vulnerabilities. Exploitation requires local write access to the `.git` directory, limiting attack surface to scenarios where an attacker has already compromised repository access or can inject files into a shared repository. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today