Bug 2453382 (CVE-2026-33762) - CVE-2026-33762 github.com/go-git/go-git/v5: go-git: Denial of Service via crafted Git index file
Summary: CVE-2026-33762 github.com/go-git/go-git/v5: go-git: Denial of Service via cra...
Keywords:
Status: NEW
Alias: CVE-2026-33762
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2454519 2454521 2454523 2454525 2454527 2454529 2454531 2454533 2454535 2454537 2454540 2454543 2454546 2454548 2454550 2454552 2454554 2454556 2454558 2454560 2454562 2454564 2454566 2454570 2454572 2454574 2454576 2454578 2454568
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-03-31 15:03 UTC by OSIDB Bzimport
Modified: 2026-04-02 19:00 UTC (History)
87 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-03-31 15:03:29 UTC 
go-git is an extensible git implementation library written in pure Go. Prior to version 5.17.1, go-git’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing. This issue only affects Git index format version 4. Earlier formats (go-git supports only v2 and v3) are not vulnerable to this issue. This issue has been patched in version 5.17.1.
Note You need to log in before you can comment on or make changes to this bug.