Bug 2453379 (CVE-2026-34165)

Summary: CVE-2026-34165 github.com/go-git/go-git/v5: go-git: Denial of Service via crafted .idx file
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agarcial, alcohan, alinfoot, anjoseph, aoconnor, aprice, asegurap, bbrownin, caswilli, crizzo, derez, dfreiber, dhanak, drosa, drow, dschmidt, dsimansk, dtrifiro, dymurray, eborisov, eglynn, erezende, fdeutsch, gparvin, ibolton, jbalunas, jburrell, jcantril, jjoyce, jkoehler, jlanda, jmatthew, jmontleo, jprabhak, jsamir, jschluet, kaycoth, kbempah, kingland, kshier, kverlaen, lball, lchilton, lgamliel, lhh, ljawale, lphiri, luizcosta, manissin, mburns, mgarciac, mnovotny, ngough, nweather, oezr, oramraz, pahickey, pakotvan, pgaikwad, rbobbitt, rbryant, rfreiman, rhaigner, rjohnson, rojacob, sakbas, sausingh, sdawley, sfeifer, simaishi, slucidi, smcdonal, smullick, solenoci, sseago, stcannon, sthirugn, stirabos, teagle, thason, veshanka, vkumar, weaton, whayutin, wtam, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in go-git, an extensible Git implementation library. A local attacker with write access to a local repository's .git directory could create or alter a maliciously crafted .idx file. This could lead to asymmetric memory consumption, potentially exhausting available memory and causing a denial-of-service (DoS) condition.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2454518, 2454520, 2454526, 2454528, 2454530, 2454532, 2454534, 2454536, 2454538, 2454541, 2454544, 2454547, 2454549, 2454551, 2454553, 2454555, 2454557, 2454561, 2454563, 2454569, 2454573, 2454522, 2454524, 2454559, 2454565, 2454567, 2454571, 2454575, 2454577    
Bug Blocks:    

Description OSIDB Bzimport 2026-03-31 15:03:16 UTC 
go-git is an extensible git implementation library written in pure Go. From version 5.0.0 to before version 5.17.1, a vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a denial-of-service (DoS) condition. Exploitation requires write access to the local repository's .git directory, it order to create or alter existing .idx files. This issue has been patched in version 5.17.1.