go-git is an extensible git implementation library written in pure Go. From version 5.0.0 to before version 5.17.1, a vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a denial-of-service (DoS) condition. Exploitation requires write access to the local repository's .git directory, it order to create or alter existing .idx files. This issue has been patched in version 5.17.1.

Metrics

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

Vendors Products
Go-git Subscribe
Go-git Subscribe
Go-git Project Subscribe
Go-git Subscribe

Configuration 1 [-]

cpe:2.3:a:go-git_project:go-git:*:*:*:*:*:go:*:*

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors Products
Go-git Subscribe
Go-git Subscribe
Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jhf3-xxhw-2wpp go-git: Maliciously crafted idx file can cause asymmetric memory consumption
Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
https://github.com/go-git/go-git/releases/tag/v5.17.1 cve-icon cve-icon cve-icon
https://github.com/go-git/go-git/security/advisories/GHSA-jhf3-xxhw-2wpp cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2026-34165 cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-34165 cve-icon
History

Fri, 03 Apr 2026 01:30:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Go-git Project
Go-git Project go-git
CPEs cpe:2.3:a:go-git_project:go-git:*:*:*:*:*:go:*:*
Vendors & Products Go-git Project
Go-git Project go-git

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Go-git
Go-git go-git
Vendors & Products Go-git
Go-git go-git

Tue, 31 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Description go-git is an extensible git implementation library written in pure Go. From version 5.0.0 to before version 5.17.1, a vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a denial-of-service (DoS) condition. Exploitation requires write access to the local repository's .git directory, it order to create or alter existing .idx files. This issue has been patched in version 5.17.1.
Title go-git: Maliciously crafted idx file can cause asymmetric memory consumption
Weaknesses CWE-191
CWE-770
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H'}

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T15:10:17.724Z

Reserved: 2026-03-25T20:12:04.197Z

Link: CVE-2026-34165

cve-icon Vulnrichment

Updated: 2026-04-02T15:10:13.682Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T15:16:17.343

Modified: 2026-04-02T16:49:16.047

Link: CVE-2026-34165

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-31T13:46:37Z

Links: CVE-2026-34165 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:19:31Z

Weaknesses