Dulwich CVE-2026-47734
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from Vendor (https://github.com/jelmer/dulwich).
CVSS VectorVendor: https://github.com/jelmer/dulwich
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
Impact
An uncontrolled-resource-consumption (memory exhaustion) denial-of-service vulnerability (CWE-400 / CWE-789).
A client with push access could push a tiny crafted thin pack (~174 bytes) whose delta header declares a huge dest_size. When dulwich ingested it via add_thin_pack / apply_delta, it would allocate hundreds of MB of memory based on that attacker-controlled size, with no relationship to the actual bytes received.
Who is impacted: Operators running a Dulwich-based Git server that exposes git-receive-pack (i.e. accepts pushes) - for example via dulwich.server functionality, the HTTP smart server, or anything built on ReceivePackHandler.
Patches
Patched in 1.2.5.
add_thin_pack now accepts a max_input_size keyword (bytes; 0/None = unlimited, matching git's semantics), and ReceivePackHandler reads receive.maxInputSize from the repository config and passes it through. Wire reads are counted and a PackInputTooLarge exception is raised once the cap is exceeded - equivalent to git index-pack --max-input-size.
Users should upgrade to Dulwich 1.2.5 or later and set receive.maxInputSize in their server's repository config to a sane bound for their environment.
Workarounds
On unpatched versions, receive.maxInputSize has no effect, so it cannot be used as a workaround. Until upgrading, operators should:
- Restrict dulwich-receive-pack (push) access to trusted, authenticated clients only, or disable it entirely on servers that only need to serve fetches.
- Run the server under an OS-level memory limit (e.g. ulimit, cgroups/MemoryMax, or a container memory limit) so a malicious push is killed rather than taking down the host.
Resources
- git's receive.maxInputSize / git index-pack --max-input-size documentation
- Reported by Liyi, Ziyue, Strick, Maurice and Chenchen @ University of Sydney
AnalysisAI
Memory exhaustion denial-of-service in Dulwich's git-receive-pack handler allows any client with push access to crash the server by sending a ~174-byte crafted thin pack. The pack's delta header declares an arbitrarily large dest_size value, causing dulwich's add_thin_pack/apply_delta code to allocate hundreds of megabytes of memory with no relationship to the actual bytes received. No public exploit code and no CISA KEV listing exist at time of analysis; the CVSS 5.7 Medium score reflects the low-privilege network vector but is bounded by the requirement that the attacker hold push credentials.
Technical ContextAI
Dulwich (pkg:pip/dulwich) is a pure-Python implementation of the Git protocol and object model. The vulnerability resides in thin pack ingestion: a thin pack is a pack file where delta objects may reference base objects not included in the pack itself, which the receiver must resolve. During ingestion, dulwich's add_thin_pack calls apply_delta, which reads an attacker-controlled dest_size field from the delta header and immediately pre-allocates a byte buffer of that size - without first verifying that the declared size bears any relationship to the actual wire bytes present. CWE-400 (Uncontrolled Resource Consumption) and CWE-789 (Uncontrolled Memory Allocation) are both applicable root-cause classes. The ReceivePackHandler, used by dulwich.server, the HTTP smart server, and any custom code built on the handler, is the exposed entry point. The patch introduces a max_input_size parameter to add_thin_pack, reads receive.maxInputSize from repository config, counts wire bytes, and raises PackInputTooLarge once the cap is exceeded - mirroring the semantics of git index-pack --max-input-size.
RemediationAI
Upgrade to dulwich 1.2.5 or later; this is the vendor-confirmed fix per GHSA-xrvj-v92f-53gj. After upgrading, set receive.maxInputSize in the server repository's git config to a byte value appropriate for your largest legitimate push (e.g., receive.maxInputSize = 52428800 for 50 MB); leaving it unset or set to 0 restores unlimited behaviour matching git's semantics. For operators unable to upgrade immediately, the advisory explicitly states that receive.maxInputSize has no effect on unpatched versions and cannot be used as a workaround. Instead, restrict git-receive-pack (push) access to trusted, authenticated clients only - or disable push entirely on fetch-only servers - to remove untrusted actors from the attack surface. Additionally, run the dulwich server process under an OS-level memory ceiling using ulimit -v, cgroups MemoryMax, or a container memory limit so that a malicious push triggers an OOM kill of the process rather than exhausting host memory and destabilising other services. Note that process-kill mitigations do not prevent repeated DoS attempts and are only stopgaps until upgrade.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: Moderate| Product | Status |
|---|---|
| SUSE Linux Enterprise Module for Public Cloud 12 | Affected |
| SUSE Linux Enterprise Server 12 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 12 | Affected |
| SUSE Linux Enterprise High Performance Computing 12 | Affected |
| SUSE Linux Enterprise Server 12 SP3 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 12 SP3 | Affected |
| SUSE Linux Enterprise Server 12 SP4 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 12 SP4 | Affected |
| SUSE Linux Enterprise Server 12 SP5 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 12 SP5 | Affected |
| SUSE Linux Enterprise Desktop 15 SP7 | Affected |
| SUSE Linux Enterprise High Performance Computing 12 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP7 | Affected |
| SUSE Linux Enterprise Server 15 SP7 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS | Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP4 | Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP5 | Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP6 | Affected |
| SUSE Linux Enterprise Module for Public Cloud 12 | Affected |
| SUSE Linux Enterprise Server 12 SP5 | Affected |
| SUSE Linux Enterprise Server 15 SP4 | Affected |
| SUSE Linux Enterprise Server 15 SP4-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP5 | Affected |
| SUSE Linux Enterprise Server 15 SP5-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP6 | Affected |
| SUSE Linux Enterprise Server 15 SP6-LTSS | Affected |
| SUSE Linux Enterprise Server for SAP Applications 12 SP5 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Affected |
| SUSE Manager Proxy 4.3 | Affected |
| SUSE Manager Proxy LTS 4.3 | Affected |
| SUSE Manager Retail Branch Server 4.3 | Affected |
| SUSE Manager Retail Branch Server LTS 4.3 | Affected |
| SUSE Manager Server 4.3 | Affected |
| SUSE Manager Server LTS 4.3 | Affected |
| SUSE Linux Enterprise Desktop 15 SP4 | Affected |
| SUSE Linux Enterprise Desktop 15 SP5 | Affected |
| SUSE Linux Enterprise Desktop 15 SP6 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP6 | Affected |
| SUSE Linux Enterprise Real Time 15 SP4 | Affected |
| SUSE Linux Enterprise Server 12 | Affected |
| SUSE Linux Enterprise Server 12 SP3 | Affected |
| SUSE Linux Enterprise Server 12 SP4 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 12 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 12 SP3 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 12 SP4 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Affected |
| openSUSE Leap 15.4 | Affected |
| openSUSE Leap 15.5 | Affected |
| openSUSE Leap 15.6 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-xrvj-v92f-53gj