CVE-2026-47734
Received Received - Intake
Memory Exhaustion in Dulwich Git Server

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: GitHub, Inc.

Description
Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.1.0 and prior to version 1.2.5, a client with push access could push a tiny crafted thin pack (~174 bytes) whose delta header declares a huge dest_size. When dulwich ingested it via add_thin_pack / apply_delta, it would allocate hundreds of MB of memory based on that attacker-controlled size, with no relationship to the actual bytes received. Operators running a Dulwich-based Git server that exposes git-receive-pack (i.e. accepts pushes) - for example via dulwich.server functionality, the HTTP smart server, or anything built on ReceivePackHandler - are impacted. The issue is patched in 1.2.5. add_thin_pack now accepts a max_input_size keyword (bytes; 0/None = unlimited, matching git's semantics), and ReceivePackHandler reads receive.maxInputSize from the repository config and passes it through. Wire reads are counted and a PackInputTooLarge exception is raised once the cap is exceeded - equivalent to git index-pack --max-input-size. Users should upgrade to Dulwich 1.2.5 or later and set receive.maxInputSize in their server's repository config to a sane bound for their environment. On unpatched versions, receive.maxInputSize has no effect, so it cannot be used as a workaround. Until upgrading, operators should restrict dulwich-receive-pack (push) access to trusted, authenticated clients only, or disable it entirely on servers that only need to serve fetches and/or run the server under an OS-level memory limit (e.g. ulimit, cgroups/MemoryMax, or a container memory limit) so a malicious push is killed rather than taking down the host.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-11
AI Q&A
2026-06-11
EPSS Evaluated
N/A
NVD
CVE-2026-47734
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
dulwich dulwich to 1.2.5 (exc)
dulwich dulwich From 1.2.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-789 The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Dulwich, a pure-Python implementation of Git file formats and protocols. In versions from 0.1.0 up to but not including 1.2.5, a client with push access could send a specially crafted thin pack with a delta header that declares a very large destination size. When Dulwich processes this pack, it allocates a large amount of memory based on the attacker-controlled size, which is disproportionate to the actual data received.

This can cause the server to consume hundreds of megabytes of memory unnecessarily, potentially leading to resource exhaustion.

The issue affects Dulwich-based Git servers that accept pushes, such as those using dulwich.server functionality, the HTTP smart server, or anything built on ReceivePackHandler.

The vulnerability is fixed in Dulwich version 1.2.5 by introducing a max_input_size limit and raising an exception if the input exceeds this limit.

Impact Analysis

This vulnerability can impact you by allowing an attacker with push access to cause your Dulwich-based Git server to allocate excessive memory, potentially leading to denial of service (DoS).

The excessive memory allocation can exhaust server resources, causing the server to slow down, crash, or become unresponsive.

If unpatched, this could disrupt your development workflows and impact availability of your Git services.

Until you upgrade, mitigating actions include restricting push access to trusted clients only, disabling push functionality if not needed, or running the server with OS-level memory limits to prevent host crashes.

Detection Guidance

This vulnerability involves a maliciously crafted thin pack pushed to a Dulwich-based Git server that causes excessive memory allocation. Detection would involve monitoring for unusually large memory usage by the dulwich-receive-pack process during push operations.

Since the vulnerability is triggered by a crafted push, one way to detect it is to monitor server logs for push attempts and observe if any push causes abnormal memory spikes or crashes.

No specific commands are provided in the context or resources to detect this vulnerability directly.

Mitigation Strategies

Immediate mitigation steps include upgrading Dulwich to version 1.2.5 or later, where the vulnerability is patched.

  • Set receive.maxInputSize in the server's repository configuration to a reasonable limit to prevent excessive memory allocation.
  • Restrict dulwich-receive-pack (push) access to trusted, authenticated clients only.
  • If upgrading is not immediately possible, disable push access entirely on servers that only need to serve fetches.
  • Run the server under an OS-level memory limit (e.g., ulimit, cgroups/MemoryMax, or container memory limits) to ensure a malicious push is killed rather than taking down the host.
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47734. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart