CVE-2026-33762 Overview
CVE-2026-33762 is an out-of-bounds vulnerability in go-git, an extensible Git implementation library written in pure Go. The vulnerability exists in the index decoder for format version 4, which fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing.
Critical Impact
A specially crafted Git index file can cause applications using go-git to crash via runtime panic, potentially leading to denial of service in services that process untrusted Git repositories.
Affected Products
- go-git versions prior to 5.17.1
- Applications and services using go-git to parse Git index files
- Git index format version 4 implementations in go-git
Discovery Timeline
- 2026-03-31 - CVE CVE-2026-33762 published to NVD
- 2026-04-02 - Last updated in NVD database
Technical Details for CVE-2026-33762
Vulnerability Analysis
This vulnerability is classified as CWE-129 (Improper Validation of Array Index). The go-git library's index decoder for Git index format version 4 contains a flaw in how it handles path name prefix lengths. During the decoding process, the library applies a prefix length value to reconstruct file paths from a previously decoded path name without first validating that the prefix length is within valid bounds.
When processing a maliciously crafted index file, an attacker can supply an invalid prefix length value that exceeds the actual length of the previously decoded path. This causes the Go runtime to attempt an out-of-bounds slice operation, triggering a panic that terminates the application.
The vulnerability specifically affects Git index format version 4, which uses prefix compression to reduce the size of the index file by storing common path prefixes only once. Earlier formats (versions 2 and 3, which are the only other versions go-git supports) do not use this prefix compression mechanism and are therefore not vulnerable to this issue.
Root Cause
The root cause is insufficient input validation in the index decoder's handling of prefix length values. The decoder trusts the prefix length value from the index file without verifying that it falls within the valid range of the previously decoded path string. This missing bounds check allows an attacker-controlled value to cause a slice operation beyond the allocated memory bounds.
Attack Vector
Exploitation requires local access and user interaction. An attacker must craft a malicious Git index file with an invalid prefix length value and convince a user or automated system to process this file using an application built with a vulnerable version of go-git.
The attack vector involves:
- Creating a Git index file with format version 4
- Manipulating the prefix length field to contain a value larger than the previous path entry
- Delivering the malicious index file to a target system (e.g., via a cloned repository or shared archive)
- Triggering index parsing through normal Git operations in applications using go-git
The vulnerability results in a denial of service condition through application crash, but does not enable code execution or data exfiltration due to Go's memory safety guarantees.
Detection Methods for CVE-2026-33762
Indicators of Compromise
- Unexpected application crashes or panics in services using go-git for repository processing
- Error logs containing panic messages related to slice bounds or index out of range during Git index parsing
- Presence of Git index files with format version 4 containing unusually large prefix length values
Detection Strategies
- Monitor application logs for Go runtime panic messages specifically mentioning slice bounds errors during index operations
- Implement dependency scanning to identify applications using go-git versions prior to 5.17.1
- Deploy file integrity monitoring on Git repository directories to detect modifications to index files
Monitoring Recommendations
- Configure alerting for application restarts or crash loops in services that process Git repositories
- Implement health checks that can detect and report go-git parsing failures
- Review application dependencies regularly using software composition analysis (SCA) tools to identify vulnerable go-git versions
How to Mitigate CVE-2026-33762
Immediate Actions Required
- Upgrade go-git to version 5.17.1 or later immediately
- Audit all applications and services in your environment that depend on go-git
- Implement input validation for Git repositories received from untrusted sources
- Consider temporarily restricting processing of Git index format version 4 files from untrusted sources
Patch Information
The go-git project has released version 5.17.1 which addresses this vulnerability by adding proper bounds checking for prefix length values before applying them to path names. The fix ensures that the prefix length does not exceed the length of the previously decoded path, preventing the out-of-bounds slice operation.
For detailed patch information, see the GitHub Release v5.17.1 and the GitHub Security Advisory GHSA-gm2x-2g9h-ccm8.
Workarounds
- Restrict the processing of Git repositories to trusted sources only until the patch can be applied
- Implement wrapper functions that pre-validate Git index files before passing them to go-git for parsing
- Consider using Git index format versions 2 or 3 where possible, as these are not affected by this vulnerability
- Deploy application-level recovery mechanisms to gracefully handle panics and prevent service disruption
# Update go-git dependency to patched version
go get github.com/go-git/go-git/v5@v5.17.1
# Verify the updated version in go.mod
grep go-git go.mod
# Run dependency audit to confirm fix
go list -m -versions github.com/go-git/go-git/v5
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
