CVE-2026-44740
Deferred Deferred - Pending Action

Billy Filesystem Abstraction Denial of Service

Vulnerability report for CVE-2026-44740, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-01

Last updated on: 2026-06-01

Assigner: GitHub, Inc.

Description

Billy is an interface filesystem abstraction for Go. Prior to versions 5.9.0 and 6.0.0-alpha.1, multiple components may improperly handle crafted or malformed input, resulting in panics, infinite loops, uncontrolled recursion, or excessive resource consumption. These issues arise from insufficient validation and missing safety mechanisms such as cycle detection, recursion limits, or defensive handling of unexpected states when processing untrusted repository data and filesystem structures. This issue has been patched in versions 5.9.0 and 6.0.0-alpha.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-01
Last Modified
2026-06-01
Generated
2026-07-12
AI Q&A
2026-06-01
EPSS Evaluated
2026-07-10
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
go-git go-billy to 5.9.0|end_excluding=6.0.0-alpha.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
CWE-835 The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-44740 affects the go-billy library, a filesystem abstraction for Go. Prior to versions 5.9.0 and 6.0.0-alpha.1, multiple components improperly handle crafted or malformed input. This improper handling can cause panics, infinite loops, uncontrolled recursion, or excessive resource consumption.

The root cause is insufficient validation and missing safety mechanisms such as cycle detection, recursion limits, or defensive handling of unexpected states when processing untrusted repository data and filesystem structures.

The vulnerability has been patched in versions 5.9.0 and 6.0.0-alpha.1.

Mitigation Strategies

To mitigate this vulnerability, users should upgrade the go-billy library to the patched versions 5.9.0 or 6.0.0-alpha.1.

These versions include fixes for improper input handling that could cause panics, infinite loops, uncontrolled recursion, or excessive resource consumption.

Compliance Impact

The vulnerability primarily impacts system availability due to panics, infinite loops, uncontrolled recursion, or excessive resource consumption caused by improper input handling. There is no indication from the provided information that this vulnerability leads to unauthorized access, data breaches, or exposure of sensitive information.

As such, the vulnerability does not directly affect compliance with data protection standards and regulations like GDPR or HIPAA, which focus on confidentiality and integrity of personal or health data. However, the availability impact could indirectly affect operational continuity requirements under some regulations.

Impact Analysis

This vulnerability can impact system availability by causing panics, infinite loops, uncontrolled recursion, or excessive resource consumption when processing untrusted input.

Such impacts can lead to denial of service conditions, where the affected system or application becomes unresponsive or crashes.

The attack complexity is low, requires minimal privileges, and no user interaction, making it easier for an attacker to exploit.

Detection Guidance

This vulnerability in the go-billy library arises from improper handling of crafted or malformed input, leading to panics, infinite loops, uncontrolled recursion, or excessive resource consumption. Detection would involve monitoring for abnormal application behavior such as crashes, hangs, or unusually high resource usage when processing repository data or filesystem structures.

Since the issue is related to specific versions of the go-billy library prior to 5.9.0 and 6.0.0-alpha.1, the primary detection method is to verify the version of the go-billy library in use.

  • Check the version of go-billy in your project dependencies to ensure it is 5.9.0 or later, or 6.0.0-alpha.1 or later.
  • Monitor application logs for panics or errors related to filesystem operations.
  • Use system monitoring tools to detect excessive CPU or memory usage that could indicate infinite loops or uncontrolled recursion.

Specific commands to check the version of go-billy in a Go project could include:

  • Run `go list -m all | grep go-billy` to identify the version of go-billy used in your module dependencies.
  • Use `go mod graph | grep go-billy` to see dependency graph entries involving go-billy.
  • Check your `go.sum` or `go.mod` files manually for the go-billy version.

For runtime detection, you may consider adding logging or instrumentation around filesystem operations that use go-billy to catch unexpected panics or hangs.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44740. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart