Bug 2438332 (CVE-2026-25934)

Summary: CVE-2026-25934 go-git/go-git: go-git: Data integrity issue due to improper verification of pack and index files
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adudiak, agarcial, alcohan, anjoseph, aoconnor, aprice, asegurap, caswilli, crizzo, derez, dfreiber, dhanak, drosa, drow, dschmidt, dsimansk, dymurray, eglynn, erezende, fdeutsch, gparvin, ibolton, jbalunas, jburrell, jcantril, jjoyce, jkoehler, jmatthew, jmontleo, jprabhak, jsamir, jschluet, kaycoth, kingland, kshier, kverlaen, lball, lchilton, lgamliel, lhh, ljawale, lphiri, luizcosta, manissin, mattdavi, mburns, mgarciac, mnovotny, ngough, nweather, oezr, oramraz, pahickey, pakotvan, pgaikwad, rbobbitt, rfreiman, rhaigner, rjohnson, rojacob, sausingh, sdawley, sfeifer, simaishi, slucidi, smcdonal, smullick, sseago, stcannon, sthirugn, stirabos, teagle, thason, veshanka, vkumar, whayutin, wtam, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in go-git, a library for Git implementation in Go. This vulnerability allows a remote attacker to provide specially crafted Git pack or index files that are not properly verified for data integrity. Successful exploitation could lead to the go-git library processing corrupted data, which may result in unexpected application errors such as 'object not found'.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-02-09 23:01:16 UTC 
go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not properly verified. This resulted in go-git potentially consuming corrupted files, which would likely result in unexpected errors such as object not found. For context, clients fetch packfiles from upstream Git servers. Those files contain a checksum of their contents, so that clients can perform integrity checks before consuming it. The pack indexes (.idx) are generated locally by go-git, or the git cli, when new .pack files are received and processed. The integrity checks for both files were not being verified correctly. This vulnerability is fixed in 5.16.5.