CVE-2026-33762
Received Received - Intake
Out-of-Bounds Slice in go-git Index Decoder Causes Panic

Publication date: 2026-03-31

Last updated on: 2026-04-02

Assigner: GitHub, Inc.

Description
go-git is an extensible git implementation library written in pure Go. Prior to version 5.17.1, go-git’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing. This issue only affects Git index format version 4. Earlier formats (go-git supports only v2 and v3) are not vulnerable to this issue. This issue has been patched in version 5.17.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-02
Generated
2026-06-16
AI Q&A
2026-03-31
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33762
EUVD
EUVD-2026-17443
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
go-git_project go-git to 5.17.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-129 The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

If exploited, this vulnerability can cause the application using go-git to experience a runtime panic, leading to process termination and a denial-of-service (DoS) condition.

An attacker needs local write access to the .git directory to supply a maliciously crafted index file. If the application does not handle panics gracefully, this can disrupt normal operations, causing availability issues.

Compliance Impact

This vulnerability does not impact confidentiality or integrity, as it only causes a denial-of-service condition without exposing or modifying data.

Therefore, it has limited direct effect on compliance with standards like GDPR or HIPAA, which primarily focus on protecting data privacy and integrity.

Executive Summary

CVE-2026-33762 is a vulnerability in the go-git library, specifically in its index decoder for Git index format version 4. The decoder fails to properly validate the length of a path name prefix before applying it to a previously decoded path name. This improper validation can cause an out-of-bounds slice operation, which triggers a runtime panic during normal index parsing.

This issue only affects Git index format version 4; earlier supported formats (versions 2 and 3) are not vulnerable. The vulnerability arises when a maliciously crafted .git/index file is supplied, which requires write access to the local repository’s .git directory.

Detection Guidance

This vulnerability occurs when a maliciously crafted Git index file (format version 4) triggers a runtime panic during index parsing in the go-git library. Detection involves identifying if your system or application is using a vulnerable version of go-git (up to 5.17.0) and if any .git/index files have been tampered with.

Since the issue is triggered by a malformed .git/index file causing a runtime panic, monitoring application logs for unexpected panics or crashes related to go-git index parsing can help detect exploitation attempts.

To check the version of go-git in your project, you can run the following command in your Go module directory:

  • go list -m github.com/go-git/go-git/v5

To detect suspicious or potentially malicious .git/index files, you can inspect the index format version by running:

  • git ls-files --index-version

If the index version is 4, and you are using a vulnerable go-git version, the system may be at risk.

Mitigation Strategies

The primary mitigation step is to upgrade the go-git library to version 5.17.1 or later, where the vulnerability has been patched.

Additionally, ensure that only trusted users have write access to the .git directory to prevent maliciously crafted index files from being introduced.

If upgrading immediately is not possible, monitor your applications for runtime panics related to index parsing and handle such panics gracefully to avoid denial-of-service conditions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33762. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart