CVE-2026-34165
Memory Exhaustion DoS via Malicious .idx Files in go-git
Publication date: 2026-03-31
Last updated on: 2026-04-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| go-git_project | go-git | From 5.0.0 (inc) to 5.17.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-191 | The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result. |
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can lead to a denial-of-service (DoS) condition by exhausting the available system memory through asymmetric memory consumption triggered by a malicious .idx file.
An attacker with write access to the local repositoryβs .git directory can exploit this issue to disrupt the normal operation of applications using the affected go-git library.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-34165 is a moderate severity vulnerability in the Go package github.com/go-git/go-git/v5, affecting versions from 5.0.0 up to 5.17.0. It involves a maliciously crafted .idx file that causes asymmetric memory consumption, which can exhaust system memory and lead to a denial-of-service (DoS) condition.
Exploitation requires the attacker to have write access to the local repositoryβs .git directory to create or modify .idx files.
The vulnerability stems from two weaknesses: an integer underflow (CWE-191) causing incorrect subtraction results, and allocation of resources without limits or throttling (CWE-770), allowing excessive memory consumption.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves verifying the version of the go-git library in use and checking for any suspicious or maliciously crafted .idx files within local git repositories.
Since exploitation requires write access to the local repository's .git directory to create or modify .idx files, monitoring file changes in these directories can help detect potential exploitation attempts.
Commands to assist detection might include:
- Checking the go-git version used by your application or system to ensure it is not between 5.0.0 and 5.17.0 (inclusive).
- Using file integrity monitoring tools or commands such as `find /path/to/repo/.git -name '*.idx' -exec ls -l {} \;` to list .idx files and their modification times.
- Monitoring system memory usage for unusual spikes that could indicate asymmetric memory consumption caused by malicious .idx files.
- Using audit tools like `auditd` to track write access to .git directories.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the go-git library to version 5.17.1 or later, including the latest v6 pseudo-version, where this vulnerability has been patched.
Additionally, restrict write access to the local repositoryβs .git directories to trusted users only, minimizing the risk of malicious .idx file creation or modification.
Implement monitoring and alerting for unusual memory consumption patterns and unexpected changes in .idx files within git repositories.