CVE-2026-34165
Received Received - Intake
Memory Exhaustion DoS via Malicious .idx Files in go-git

Publication date: 2026-03-31

Last updated on: 2026-04-02

Assigner: GitHub, Inc.

Description
go-git is an extensible git implementation library written in pure Go. From version 5.0.0 to before version 5.17.1, a vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a denial-of-service (DoS) condition. Exploitation requires write access to the local repository's .git directory, it order to create or alter existing .idx files. This issue has been patched in version 5.17.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-02
Generated
2026-06-16
AI Q&A
2026-03-31
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34165
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
go-git_project go-git From 5.0.0 (inc) to 5.17.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-191 The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-34165 is a moderate severity vulnerability in the Go package github.com/go-git/go-git/v5, affecting versions from 5.0.0 up to 5.17.0. It involves a maliciously crafted .idx file that causes asymmetric memory consumption, which can exhaust system memory and lead to a denial-of-service (DoS) condition.

Exploitation requires the attacker to have write access to the local repository’s .git directory to create or modify .idx files.

The vulnerability stems from two weaknesses: an integer underflow (CWE-191) causing incorrect subtraction results, and allocation of resources without limits or throttling (CWE-770), allowing excessive memory consumption.

Impact Analysis

This vulnerability can lead to a denial-of-service (DoS) condition by exhausting the available system memory through asymmetric memory consumption triggered by a malicious .idx file.

An attacker with write access to the local repository’s .git directory can exploit this issue to disrupt the normal operation of applications using the affected go-git library.

Detection Guidance

Detection of this vulnerability involves verifying the version of the go-git library in use and checking for any suspicious or maliciously crafted .idx files within local git repositories.

Since exploitation requires write access to the local repository's .git directory to create or modify .idx files, monitoring file changes in these directories can help detect potential exploitation attempts.

Commands to assist detection might include:

  • Checking the go-git version used by your application or system to ensure it is not between 5.0.0 and 5.17.0 (inclusive).
  • Using file integrity monitoring tools or commands such as `find /path/to/repo/.git -name '*.idx' -exec ls -l {} \;` to list .idx files and their modification times.
  • Monitoring system memory usage for unusual spikes that could indicate asymmetric memory consumption caused by malicious .idx files.
  • Using audit tools like `auditd` to track write access to .git directories.
Mitigation Strategies

The primary mitigation step is to upgrade the go-git library to version 5.17.1 or later, including the latest v6 pseudo-version, where this vulnerability has been patched.

Additionally, restrict write access to the local repository’s .git directories to trusted users only, minimizing the risk of malicious .idx file creation or modification.

Implement monitoring and alerting for unusual memory consumption patterns and unexpected changes in .idx files within git repositories.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34165. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart