PT-2026-29156 · Go-Git · Go-Git

Kq5Y

Publicado

2026-03-30

Atualizado

2026-05-18

CVE-2026-33762

CVSS v3.1

2.8

Baixa

Vetor

AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L

Name of the Vulnerable Software and Affected Versions go-git versions prior to 5.17.1

Description The go-git library’s index decoder for Git index format version 4 does not properly validate the path name prefix length before applying it to the previously decoded path name. A specially crafted index file can cause an out-of-bounds slice operation, leading to a runtime panic during index parsing. This issue only affects Git index format version 4. An attacker with the ability to modify or inject a Git index file within a local repository can cause applications using go-git to terminate, resulting in a denial-of-service (DoS) condition.

Recommendations Upgrade to version 5.17.1, or the latest version 6.

Exploit

Correção

Improper Validation of Array Index

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-129

Identificadores relacionados

CLEANSTART-2026-BU65096

CLEANSTART-2026-DQ17669

CLEANSTART-2026-ET12387

CLEANSTART-2026-FV86809

CLEANSTART-2026-GN78570

CLEANSTART-2026-JG72006

CLEANSTART-2026-LO26058

CLEANSTART-2026-LU21824

CLEANSTART-2026-ML41879

CLEANSTART-2026-NR54556

CLEANSTART-2026-NT80635

CLEANSTART-2026-TT42218

CLEANSTART-2026-VT65447

CVE-2026-33762

GHSA-GM2X-2G9H-CCM8

GO-2026-4909

Produtos afetados

Go-Git

PT-2026-29156 · Go-Git · Go-Git

CVE-2026-33762

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 168