Skip to main content

gitoxide EUVDEUVD-2026-31831

| CVE-2026-40034 HIGH
Command Injection (CWE-77)
8.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 08, 2026 - 10:17 vuln.today
Analysis Generated
Jun 08, 2026 - 10:17 vuln.today
CVSS changed
May 26, 2026 - 15:22 NVD
7.8 (HIGH) 8.5 (HIGH)

DescriptionCVE.org

gix-submodule before 0.82.0 incorrectly validates the update field in .gitmodules, allowing attackers to bypass the CommandForbiddenInModulesConfiguration guard when a submodule has been initialized with only partial configuration in .git/config. An attacker can inject arbitrary shell commands via the update field in .gitmodules that will be executed when Submodule::update() is called on a previously-initialized submodule, enabling remote code execution.

AnalysisAI

Command injection in the gitoxide Rust library (gix-submodule crate before 0.82.0, gix before 0.83.0) allows attackers controlling a repository's .gitmodules file to bypass the CommandForbiddenInModulesConfiguration guard and achieve arbitrary command execution when Submodule::update() runs against a previously-initialized submodule. The flaw stems from gix_submodule::File::update() checking only whether a same-named section exists in .git/config rather than verifying that the update value itself originated from that trusted source, so an attacker-supplied 'update = !cmd' falls through to execution. Publicly available exploit code exists (PoC referenced by VulnCheck and Anthropic), though EPSS is low (0.02%) and the issue is not in CISA KEV.

Technical ContextAI

gitoxide is a pure-Rust reimplementation of Git, and the gix-submodule crate handles parsing of .gitmodules submodule definitions. Git's submodule.<name>.update key supports a '!command' form whose execution Git restricts to trusted .git/config sources because of historical abuse (CVE-2019-19604). In gix_submodule/src/access.rs, File::update() looks up the value via gix_config's section iteration (newest-to-oldest) and then attempts to confirm trust by calling sections_by_name("submodule"); however, the guard only confirms that some non-.gitmodules section bearing the submodule name exists, not that the specific 'update' key was set there. This is a classic CWE-77 (Improper Neutralization of Special Elements used in a Command) caused by an incomplete provenance check on configuration values. Affected CPE is cpe:2.3:a:gitoxide:gitoxide:*:*:*:*:*:*:*:*, covering the rust/gix crate at versions >= 0.31.0 and < 0.83.0.

RemediationAI

Vendor-released patch: upgrade gix-submodule to 0.82.0 or later, or gix to 0.83.0 or later, with fixes landed in commits 6a2e6a436f76c8bbf2487f9967413a51356667a0 and dd5c18d9e526e8de462fa40aa047acd097cfa7dc (see https://github.com/GitoxideLabs/gitoxide/security/advisories/GHSA-f26g-jm89-4g65 and the VulnCheck advisory at https://www.vulncheck.com/advisories/gitoxide-command-injection-via-partial-gitmodules-override-in-gix-submodule). Downstream Rust projects should run 'cargo update -p gix-submodule -p gix' and rebuild; SUSE and other distributors should pick up the fixed crate versions. As a workaround until the upgrade lands, avoid calling gix::Submodule::update() on repositories obtained from untrusted sources, or pre-validate that no '.gitmodules' submodule contains an 'update' key beginning with '!' - the trade-off is that legitimate submodule update flows must be paused or wrapped, which can break automation that depends on submodule checkout behavior.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed

Share

EUVD-2026-31831 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy