CVE-2026-33762

CVSS v3.1

2.8

Low

Vector

AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L

Name of the Vulnerable Software and Affected Versions go-git versions prior to 5.17.1

Description The go-git library’s index decoder for Git index format version 4 does not properly validate the path name prefix length before applying it to the previously decoded path name. A specially crafted index file can cause an out-of-bounds slice operation, leading to a runtime panic during index parsing. This issue only affects Git index format version 4. An attacker with the ability to modify or inject a Git index file within a local repository can cause applications using go-git to terminate, resulting in a denial-of-service (DoS) condition.

Recommendations Upgrade to version 5.17.1, or the latest version 6.

Exploit

Fix

Improper Validation of Array Index

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-129

Related Identifiers

CLEANSTART-2026-BU65096

CLEANSTART-2026-DQ17669

CLEANSTART-2026-ET12387

CLEANSTART-2026-FV86809

CLEANSTART-2026-GN78570

CLEANSTART-2026-JG72006

CLEANSTART-2026-LO26058

CLEANSTART-2026-LU21824

CLEANSTART-2026-ML41879

CLEANSTART-2026-NR54556

CLEANSTART-2026-NT80635

CLEANSTART-2026-TT42218

CLEANSTART-2026-VT65447

CVE-2026-33762

GHSA-GM2X-2G9H-CCM8

GO-2026-4909

Affected Products

Go-Git

CVE-2026-33762

Weakness Enumeration

Related Identifiers

Affected Products

References · 168