Bug 2453379 (CVE-2026-34165) - CVE-2026-34165 github.com/go-git/go-git/v5: go-git: Denial of Service via crafted .idx file
Summary: CVE-2026-34165 github.com/go-git/go-git/v5: go-git: Denial of Service via cra...
Keywords:
Status: NEW
Alias: CVE-2026-34165
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2454518 2454520 2454526 2454528 2454530 2454532 2454534 2454536 2454538 2454541 2454544 2454547 2454549 2454551 2454553 2454555 2454557 2454561 2454563 2454565 2454569 2454571 2454573 2454522 2454524 2454559 2454567 2454575 2454577
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-03-31 15:03 UTC by OSIDB Bzimport
Modified: 2026-04-02 18:57 UTC (History)
87 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-03-31 15:03:16 UTC 
go-git is an extensible git implementation library written in pure Go. From version 5.0.0 to before version 5.17.1, a vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a denial-of-service (DoS) condition. Exploitation requires write access to the local repository's .git directory, it order to create or alter existing .idx files. This issue has been patched in version 5.17.1.
Note You need to log in before you can comment on or make changes to this bug.