Skip to main content

Go Etcd Io Bbolt EUVDEUVD-2026-19406

| CVE-2026-33817 MEDIUM
Out-of-bounds Read (CWE-125)
2026-04-06 Go GHSA-6jwv-w5xf-7j27
6.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.2 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Apr 06, 2026 - 19:00 euvd
EUVD-2026-19406
Analysis Generated
Apr 06, 2026 - 19:00 vuln.today
CVE Published
Apr 06, 2026 - 18:13 nvd
MEDIUM 6.2

DescriptionCVE.org

Index out-of-range when encountering a branch page with zero elements in go.etcd.io/bbolt

AnalysisAI

Index out-of-bounds read in go.etcd.io/bbolt allows local unauthenticated attackers to cause a denial of service by crafting a malicious database file with a branch page containing zero elements, triggering a crash during cursor traversal. The vulnerability affects all versions of the library and has been patched upstream; no public exploit code or active exploitation has been reported.

Technical ContextAI

go.etcd.io/bbolt is a pure Go key-value store library implementing an embedded B+tree structure for transactional data storage, commonly used in Go applications requiring local persistence. The root cause is a classic buffer over-read (CWE-125: Out-of-bounds Read) occurring during branch page traversal when the cursor attempts to access array indices without validating that the branch page contains at least one element. The vulnerability manifests in the pagination logic where a branch page with zero child pointers is accessed as if it contained valid entries, leading to memory access beyond allocated bounds and triggering a panic in the Go runtime.

RemediationAI

Update go.etcd.io/bbolt to a version incorporating commit 386d5b69785937d1aa20cb25c8439404cf398143 from PR #1171 (exact stable version number should be confirmed via github.com/etcd-io/bbolt releases or pkg.go.dev/vuln/GO-2026-4923). Applications should rebuild and redeploy with the patched dependency. As an interim measure, applications should avoid opening bbolt database files from untrusted sources and implement external validation or sandboxing when processing user-supplied or externally-derived database files. Verify the fix via the Go vulnerability database at pkg.go.dev/vuln/GO-2026-4923.

Share

EUVD-2026-19406 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy