CVE-2026-33762
Out-of-Bounds Slice in go-git Index Decoder Causes Panic
Publication date: 2026-03-31
Last updated on: 2026-04-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| go-git_project | go-git | to 5.17.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-129 | The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
If exploited, this vulnerability can cause the application using go-git to experience a runtime panic, leading to process termination and a denial-of-service (DoS) condition.
An attacker needs local write access to the .git directory to supply a maliciously crafted index file. If the application does not handle panics gracefully, this can disrupt normal operations, causing availability issues.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability does not impact confidentiality or integrity, as it only causes a denial-of-service condition without exposing or modifying data.
Therefore, it has limited direct effect on compliance with standards like GDPR or HIPAA, which primarily focus on protecting data privacy and integrity.
Can you explain this vulnerability to me?
CVE-2026-33762 is a vulnerability in the go-git library, specifically in its index decoder for Git index format version 4. The decoder fails to properly validate the length of a path name prefix before applying it to a previously decoded path name. This improper validation can cause an out-of-bounds slice operation, which triggers a runtime panic during normal index parsing.
This issue only affects Git index format version 4; earlier supported formats (versions 2 and 3) are not vulnerable. The vulnerability arises when a maliciously crafted .git/index file is supplied, which requires write access to the local repositoryβs .git directory.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs when a maliciously crafted Git index file (format version 4) triggers a runtime panic during index parsing in the go-git library. Detection involves identifying if your system or application is using a vulnerable version of go-git (up to 5.17.0) and if any .git/index files have been tampered with.
Since the issue is triggered by a malformed .git/index file causing a runtime panic, monitoring application logs for unexpected panics or crashes related to go-git index parsing can help detect exploitation attempts.
To check the version of go-git in your project, you can run the following command in your Go module directory:
- go list -m github.com/go-git/go-git/v5
To detect suspicious or potentially malicious .git/index files, you can inspect the index format version by running:
- git ls-files --index-version
If the index version is 4, and you are using a vulnerable go-git version, the system may be at risk.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the go-git library to version 5.17.1 or later, where the vulnerability has been patched.
Additionally, ensure that only trusted users have write access to the .git directory to prevent maliciously crafted index files from being introduced.
If upgrading immediately is not possible, monitor your applications for runtime panics related to index parsing and handle such panics gracefully to avoid denial-of-service conditions.