CVE-2026-34165 Overview
A memory exhaustion vulnerability has been identified in go-git, an extensible Git implementation library written in pure Go. From version 5.0.0 to before version 5.17.1, a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a denial-of-service (DoS) condition.
Critical Impact
Exploitation of this vulnerability can lead to complete denial of service through memory exhaustion, affecting any application or service using the vulnerable go-git library to process Git repositories with attacker-controlled .idx files.
Affected Products
- go-git versions 5.0.0 to 5.17.0
- Applications using go-git library for Git operations
- Services that allow processing of untrusted Git repositories
Discovery Timeline
- 2026-03-31 - CVE-2026-34165 published to NVD
- 2026-04-02 - Last updated in NVD database
Technical Details for CVE-2026-34165
Vulnerability Analysis
This vulnerability stems from improper handling of .idx (index) files within the go-git library's packfile parsing functionality. Git packfiles use index files to enable efficient object lookup, but the parsing logic in affected versions fails to adequately validate the size and structure of these files before allocating memory.
When processing a maliciously crafted .idx file, the library can be tricked into allocating disproportionately large amounts of memory relative to the actual file size. This asymmetric memory consumption pattern makes it possible for an attacker with relatively small input to trigger massive memory allocations, ultimately exhausting available system memory and causing the application to crash or become unresponsive.
The vulnerability is classified as CWE-191 (Integer Underflow), indicating that the root cause involves arithmetic operations that produce values smaller than expected, which then get interpreted as large unsigned integers during memory allocation operations.
Root Cause
The vulnerability originates from an integer underflow condition (CWE-191) in the .idx file parsing code. When certain size calculations result in integer underflow, the resulting values wrap around to extremely large positive numbers. These inflated values are then used for memory allocation, causing the library to attempt allocating gigabytes of memory from small malformed input files.
The local attack vector requires write access to the repository's .git directory, meaning an attacker must either have local system access or be able to influence repository contents through other means such as compromised dependencies or malicious repository cloning.
Attack Vector
Exploitation requires local access with the ability to create or modify .idx files within a target repository's .git/objects/pack/ directory. The attack proceeds as follows:
- The attacker gains write access to the local repository's .git directory
- A maliciously crafted .idx file is placed or an existing one is modified in the .git/objects/pack/ directory
- When the application using go-git attempts to read packfile objects, it parses the malformed index
- The integer underflow triggers excessive memory allocation
- System memory becomes exhausted, causing denial of service
The attack surface is limited by the requirement for local repository access, but this can be achieved in scenarios involving shared file systems, compromised development environments, or malicious repository contributions.
Detection Methods for CVE-2026-34165
Indicators of Compromise
- Unusually large or malformed .idx files in .git/objects/pack/ directories
- Sudden memory exhaustion in applications using go-git library
- Application crashes with out-of-memory errors during Git operations
- Anomalous file modifications within .git directories
Detection Strategies
- Monitor memory usage patterns for applications utilizing go-git library for sudden spikes
- Implement file integrity monitoring on .git/objects/pack/ directories to detect unauthorized modifications
- Review application logs for out-of-memory exceptions occurring during packfile operations
- Audit dependency versions to identify go-git installations between 5.0.0 and 5.17.0
Monitoring Recommendations
- Enable memory threshold alerting for services using go-git to detect resource exhaustion attempts
- Implement logging for Git packfile operations to capture parsing errors and anomalies
- Configure resource limits (memory cgroups, ulimits) for processes using go-git to contain potential DoS impact
- Regular vulnerability scanning of Go dependencies using tools like govulncheck
How to Mitigate CVE-2026-34165
Immediate Actions Required
- Upgrade go-git to version 5.17.1 or later immediately
- Audit .git/objects/pack/ directories for suspicious or recently modified .idx files
- Implement memory limits for processes using go-git to prevent complete system exhaustion
- Restrict write access to .git directories where possible
Patch Information
The vulnerability has been patched in go-git version 5.17.1. Organizations should update their Go module dependencies to include the fixed version. For detailed patch information, refer to the GitHub Release v5.17.1 and the GitHub Security Advisory GHSA-jhf3-xxhw-2wpp.
To update go-git in your Go project:
go get github.com/go-git/go-git/v5@v5.17.1
go mod tidy
Workarounds
- Restrict filesystem permissions on .git/objects/pack/ directories to prevent unauthorized write access
- Implement process-level memory limits using operating system controls (cgroups, ulimits) to contain DoS impact
- Validate and sanitize any externally-sourced Git repositories before processing with go-git
- Consider running go-git operations in isolated containers with strict resource constraints
# Configuration example
# Set memory limits for applications using go-git
# Using systemd service configuration
[Service]
MemoryMax=2G
MemoryHigh=1.5G
# Or using Docker/container runtime
docker run --memory="2g" --memory-swap="2g" your-go-git-app
# Restrict .git directory permissions
chmod -R 750 /path/to/repo/.git
chown -R appuser:appgroup /path/to/repo/.git
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
