CVE-2026-44740
Deferred Deferred - Pending Action
Billy Filesystem Abstraction Denial of Service

Publication date: 2026-06-01

Last updated on: 2026-06-01

Assigner: GitHub, Inc.

Description
Billy is an interface filesystem abstraction for Go. Prior to versions 5.9.0 and 6.0.0-alpha.1, multiple components may improperly handle crafted or malformed input, resulting in panics, infinite loops, uncontrolled recursion, or excessive resource consumption. These issues arise from insufficient validation and missing safety mechanisms such as cycle detection, recursion limits, or defensive handling of unexpected states when processing untrusted repository data and filesystem structures. This issue has been patched in versions 5.9.0 and 6.0.0-alpha.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-01
Generated
2026-06-22
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-44740
EUVD
EUVD-2026-33663
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
go-git go-billy to 5.9.0|end_excluding=6.0.0-alpha.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-835 The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
CWE-674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, users should upgrade the go-billy library to the patched versions 5.9.0 or 6.0.0-alpha.1.

These versions include fixes for improper input handling that could cause panics, infinite loops, uncontrolled recursion, or excessive resource consumption.

Executive Summary

CVE-2026-44740 affects the go-billy library, a filesystem abstraction for Go. Prior to versions 5.9.0 and 6.0.0-alpha.1, multiple components improperly handle crafted or malformed input. This improper handling can cause panics, infinite loops, uncontrolled recursion, or excessive resource consumption.

The root cause is insufficient validation and missing safety mechanisms such as cycle detection, recursion limits, or defensive handling of unexpected states when processing untrusted repository data and filesystem structures.

The vulnerability has been patched in versions 5.9.0 and 6.0.0-alpha.1.

Impact Analysis

This vulnerability can impact system availability by causing panics, infinite loops, uncontrolled recursion, or excessive resource consumption when processing untrusted input.

Such impacts can lead to denial of service conditions, where the affected system or application becomes unresponsive or crashes.

The attack complexity is low, requires minimal privileges, and no user interaction, making it easier for an attacker to exploit.

Compliance Impact

The vulnerability primarily impacts system availability due to panics, infinite loops, uncontrolled recursion, or excessive resource consumption caused by improper input handling. There is no indication from the provided information that this vulnerability leads to unauthorized access, data breaches, or exposure of sensitive information.

As such, the vulnerability does not directly affect compliance with data protection standards and regulations like GDPR or HIPAA, which focus on confidentiality and integrity of personal or health data. However, the availability impact could indirectly affect operational continuity requirements under some regulations.

Detection Guidance

This vulnerability in the go-billy library arises from improper handling of crafted or malformed input, leading to panics, infinite loops, uncontrolled recursion, or excessive resource consumption. Detection would involve monitoring for abnormal application behavior such as crashes, hangs, or unusually high resource usage when processing repository data or filesystem structures.

Since the issue is related to specific versions of the go-billy library prior to 5.9.0 and 6.0.0-alpha.1, the primary detection method is to verify the version of the go-billy library in use.

  • Check the version of go-billy in your project dependencies to ensure it is 5.9.0 or later, or 6.0.0-alpha.1 or later.
  • Monitor application logs for panics or errors related to filesystem operations.
  • Use system monitoring tools to detect excessive CPU or memory usage that could indicate infinite loops or uncontrolled recursion.

Specific commands to check the version of go-billy in a Go project could include:

  • Run `go list -m all | grep go-billy` to identify the version of go-billy used in your module dependencies.
  • Use `go mod graph | grep go-billy` to see dependency graph entries involving go-billy.
  • Check your `go.sum` or `go.mod` files manually for the go-billy version.

For runtime detection, you may consider adding logging or instrumentation around filesystem operations that use go-billy to catch unexpected panics or hangs.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44740. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart