Vulnerability Description
go-git is an extensible git implementation library written in pure Go. From version 5.0.0 to before version 5.17.1, a vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a denial-of-service (DoS) condition. Exploitation requires write access to the local repository's .git directory, it order to create or alter existing .idx files. This issue has been patched in version 5.17.1.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Go-Git Project | Go-Git | >= 5.0.0, < 5.17.1 |
Related Weaknesses (CWE)
References
- https://github.com/go-git/go-git/releases/tag/v5.17.1ProductRelease Notes
- https://github.com/go-git/go-git/security/advisories/GHSA-jhf3-xxhw-2wppVendor Advisory
FAQ
What is CVE-2026-34165?
CVE-2026-34165 is a vulnerability with a CVSS score of 5.0 (MEDIUM). go-git is an extensible git implementation library written in pure Go. From version 5.0.0 to before version 5.17.1, a vulnerability has been identified in which a maliciously crafted .idx file can cau...
How severe is CVE-2026-34165?
CVE-2026-34165 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-34165?
Check the references section above for vendor advisories and patch information. Affected products include: Go-Git Project Go-Git.