SecuriTricks - CVE-2026-33762

Description

go-git is an extensible git implementation library written in pure Go. Prior to version 5.17.1, go-git’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing. This issue only affects Git index format version 4. Earlier formats (go-git supports only v2 and v3) are not vulnerable to this issue. This issue has been patched in version 5.17.1.

Product(s) Impacted

Vendor	Product	Versions
Go-git	Go-git	<5.17.1, index_format_version_4

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-129

Improper Validation of Array Index

The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	go-git	go-git	<5.17.1	/	/	/	/	/	/	/
a	go-git	go-git	index_format_version_4	/	/	/	/	/	/	/

References

https://github.com/go-git/go-git/releases/tag/v5.17.1

https://github.com/go-git/go-git/security/advisories/GHSA-gm2x-2g9h-ccm8

CVSS Score

2.8 / 10

CVSS Data - 3.1

Attack Vector: LOCAL
Attack Complexity: LOW
Privileges Required: LOW
Scope: UNCHANGED
Confidentiality Impact: NONE
Integrity Impact: NONE
Availability Impact: LOW

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L

View Vector String

Timeline

Published: March 31, 2026, 3:16 p.m.
Last Modified: April 1, 2026, 2:24 p.m.

Status : Undergoing Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

CVE-2026-33762