UBUNTU-CVE-2026-44740

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2026-44740

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-44740.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-44740

Upstream

CVE-2026-44740

Published

2026-06-01T17:17:00Z

Modified

2026-06-03T11:25:22Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

Billy is an interface filesystem abstraction for Go. Prior to versions 5.9.0 and 6.0.0-alpha.1, multiple components may improperly handle crafted or malformed input, resulting in panics, infinite loops, uncontrolled recursion, or excessive resource consumption. These issues arise from insufficient validation and missing safety mechanisms such as cycle detection, recursion limits, or defensive handling of unexpected states when processing untrusted repository data and filesystem structures. This issue has been patched in versions 5.9.0 and 6.0.0-alpha.1.

References

Affected packages

Ubuntu:22.04:LTS

golang-github-go-git-go-billy

Package

Name: golang-github-go-git-go-billy
Purl: pkg:deb/ubuntu/golang-github-go-git-go-billy?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

5.*

5.3.1-2

5.3.1-3

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "golang-github-go-git-go-billy-dev",
            "binary_version": "5.3.1-3"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-44740.json"

Ubuntu:24.04:LTS

golang-github-go-git-go-billy

Package

Name: golang-github-go-git-go-billy
Purl: pkg:deb/ubuntu/golang-github-go-git-go-billy?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

5.*

5.3.1-3

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "golang-github-go-git-go-billy-dev",
            "binary_version": "5.3.1-3"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-44740.json"

Ubuntu:25.10

golang-github-go-git-go-billy

Package

Name: golang-github-go-git-go-billy
Purl: pkg:deb/ubuntu/golang-github-go-git-go-billy?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

5.*

5.5.0-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "golang-github-go-git-go-billy-dev",
            "binary_version": "5.5.0-1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-44740.json"

Ubuntu:26.04:LTS

golang-github-go-git-go-billy

Package

Name: golang-github-go-git-go-billy
Purl: pkg:deb/ubuntu/golang-github-go-git-go-billy?arch=source&distro=resolute

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

5.*

5.5.0-1

5.5.0-2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "golang-github-go-git-go-billy-dev",
            "binary_version": "5.5.0-2"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-44740.json"