CVE-2026-34165

go-git is an extensible git implementation library written in pure Go. From version 5.0.0 to before version 5.17.1, a vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a denial-of-service (DoS) condition. Exploitation requires write access to the local repository's .git directory, it order to create or alter existing .idx files. This issue has been patched in version 5.17.1.

Database specific

{
    "cwe_ids": [
        "CWE-191",
        "CWE-770"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34165.json"
}

References

Affected packages

Git / github.com/go-git/go-git

Affected ranges

Type

GIT

Repo

https://github.com/go-git/go-git

Events

Introduced

9d0f15c4fa712cdacfa3887e9baac918f093fbf6

Fixed

5e23dfd02db92644dc4a3358ceb297fce875b772

Database specific

{
    "versions": [
        {
            "introduced": "5.0.0"
        },
        {
            "fixed": "5.17.1"
        }
    ]
}

Affected versions

v5.*

v5.0.0

v5.1.0

v5.10.0

v5.10.1

v5.11.0

v5.12.0

v5.13.0

v5.13.1

v5.13.2

v5.14.0

v5.15.0

v5.16.0

v5.16.1

v5.16.2

v5.16.3

v5.16.4

v5.16.5

v5.17.0

v5.2.0

v5.3.0

v5.4.0

v5.4.1

v5.4.2

v5.5.0

v5.5.1

v5.5.2

v5.6.0

v5.6.1

v5.7.0

v5.8.0

v5.8.1

v5.9.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34165.json"