CVE-2026-34165
go-git: Maliciously crafted idx file can cause asymmetric memory consumption
CVSS Score
5.0
EPSS Score
0.0%
EPSS Percentile
2th
go-git is an extensible git implementation library written in pure Go. From version 5.0.0 to before version 5.17.1, a vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a denial-of-service (DoS) condition. Exploitation requires write access to the local repository's .git directory, it order to create or alter existing .idx files. This issue has been patched in version 5.17.1.
| CWE | CWE-191 CWE-770 |
| Vendor | go-git |
| Product | go-git |
| Published | Mar 31, 2026 |
| Last Updated | Apr 2, 2026 |
Stay Ahead of the Next One
Get instant alerts for go-git go-git
Be the first to know when new medium vulnerabilities affecting go-git go-git are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Affected Versions
go-git / go-git
>= 5.0.0, < 5.17.1