CVE-2026-47734

Source
https://cve.org/CVERecord?id=CVE-2026-47734
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-47734.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-47734
Aliases
Downstream
Published
2026-06-10T22:11:02.704Z
Modified
2026-07-08T08:05:19.213877964Z
Severity
  • 5.7 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Dulwich has unbounded memory allocation in receive-pack from crafted thin packs
Details

Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.1.0 and prior to version 1.2.5, a client with push access could push a tiny crafted thin pack (~174 bytes) whose delta header declares a huge destsize. When dulwich ingested it via addthinpack / applydelta, it would allocate hundreds of MB of memory based on that attacker-controlled size, with no relationship to the actual bytes received. Operators running a Dulwich-based Git server that exposes git-receive-pack (i.e. accepts pushes) - for example via dulwich.server functionality, the HTTP smart server, or anything built on ReceivePackHandler - are impacted. The issue is patched in 1.2.5. addthinpack now accepts a maxinputsize keyword (bytes; 0/None = unlimited, matching git's semantics), and ReceivePackHandler reads receive.maxInputSize from the repository config and passes it through. Wire reads are counted and a PackInputTooLarge exception is raised once the cap is exceeded - equivalent to git index-pack --max-input-size. Users should upgrade to Dulwich 1.2.5 or later and set receive.maxInputSize in their server's repository config to a sane bound for their environment. On unpatched versions, receive.maxInputSize has no effect, so it cannot be used as a workaround. Until upgrading, operators should restrict dulwich-receive-pack (push) access to trusted, authenticated clients only, or disable it entirely on servers that only need to serve fetches and/or run the server under an OS-level memory limit (e.g. ulimit, cgroups/MemoryMax, or a container memory limit) so a malicious push is killed rather than taking down the host.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/47xxx/CVE-2026-47734.json",
    "cwe_ids": [
        "CWE-400",
        "CWE-789"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/jelmer/dulwich

Affected ranges

Type
GIT
Repo
https://github.com/jelmer/dulwich
Events
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0.1.0"
        },
        {
            "fixed": "1.2.5"
        }
    ]
}

Affected versions

dulwich-0.*
dulwich-0.1.0
dulwich-0.1.1
dulwich-0.10.0
dulwich-0.10.1
dulwich-0.11.0
dulwich-0.11.1
dulwich-0.12.0
dulwich-0.13.0
dulwich-0.14.0
dulwich-0.14.1
dulwich-0.15.0
dulwich-0.16.0
dulwich-0.16.1
dulwich-0.16.2
dulwich-0.16.3
dulwich-0.17.0
dulwich-0.17.1
dulwich-0.17.2
dulwich-0.17.3
dulwich-0.18.0
dulwich-0.18.1
dulwich-0.18.2
dulwich-0.18.3
dulwich-0.18.4
dulwich-0.18.5
dulwich-0.18.6
dulwich-0.19.0
dulwich-0.19.1
dulwich-0.19.10
dulwich-0.19.11
dulwich-0.19.12
dulwich-0.19.13
dulwich-0.19.14
dulwich-0.19.15
dulwich-0.19.16
dulwich-0.19.2
dulwich-0.19.2-1
dulwich-0.19.2-2
dulwich-0.19.3
dulwich-0.19.4
dulwich-0.19.5
dulwich-0.19.6
dulwich-0.19.7
dulwich-0.19.8
dulwich-0.19.9
dulwich-0.2.0
dulwich-0.2.1
dulwich-0.20.0
dulwich-0.20.1
dulwich-0.20.11
dulwich-0.20.12
dulwich-0.20.13
dulwich-0.20.14
dulwich-0.20.15
dulwich-0.20.17
dulwich-0.20.18
dulwich-0.20.19
dulwich-0.20.2
dulwich-0.20.20
dulwich-0.20.21
dulwich-0.20.22
dulwich-0.20.23
dulwich-0.20.24
dulwich-0.20.25
dulwich-0.20.26
dulwich-0.20.27
dulwich-0.20.28
dulwich-0.20.29
dulwich-0.20.3
dulwich-0.20.30
dulwich-0.20.32
dulwich-0.20.33
dulwich-0.20.34
dulwich-0.20.35
dulwich-0.20.36
dulwich-0.20.37
dulwich-0.20.38
dulwich-0.20.39
dulwich-0.20.4
dulwich-0.20.40
dulwich-0.20.41
dulwich-0.20.42
dulwich-0.20.43
dulwich-0.20.44
dulwich-0.20.5
dulwich-0.20.50
dulwich-0.20.6
dulwich-0.20.7
dulwich-0.20.8
dulwich-0.20.9
dulwich-0.21.0
dulwich-0.21.1
dulwich-0.21.2
dulwich-0.21.3
dulwich-0.21.4.1
dulwich-0.21.5
dulwich-0.21.6
dulwich-0.21.7
dulwich-0.22.0
dulwich-0.22.1
dulwich-0.22.2
dulwich-0.22.3
dulwich-0.22.4
dulwich-0.22.5
dulwich-0.22.6
dulwich-0.22.7
dulwich-0.22.8
dulwich-0.23.1
dulwich-0.23.2
dulwich-0.24.0
dulwich-0.24.1
dulwich-0.24.2
dulwich-0.24.5
dulwich-0.24.6
dulwich-0.24.7
dulwich-0.24.8
dulwich-0.25.0
dulwich-0.25.1
dulwich-0.25.2
dulwich-0.3.0
dulwich-0.3.1
dulwich-0.3.2
dulwich-0.3.3
dulwich-0.4.0
dulwich-0.4.1
dulwich-0.5.0
dulwich-0.6.0
dulwich-0.6.1
dulwich-0.6.2
dulwich-0.7.0
dulwich-0.7.1
dulwich-0.8.0
dulwich-0.8.1
dulwich-0.8.2
dulwich-0.8.3
dulwich-0.8.4
dulwich-0.8.5
dulwich-0.8.6
dulwich-0.8.7
dulwich-0.9.0
dulwich-0.9.1
dulwich-0.9.2
dulwich-0.9.3
dulwich-0.9.4
dulwich-0.9.5
dulwich-0.9.6
dulwich-0.9.7
dulwich-0.9.8
dulwich-1.*
dulwich-1.0.0
dulwich-1.1.0
dulwich-1.2.0
dulwich-1.2.1
dulwich-1.2.2
dulwich-1.2.3
dulwich-1.2.4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-47734.json"