CVE-2026-34165

low-risk

Published 2026-03-31

go-git is an extensible git implementation library written in pure Go. From version 5.0.0 to before version 5.17.1, a vulnerability has been identified in which a maliciously crafted .idx file can cause asymmetric memory consumption, potentially exhausting available memory and resulting in a denial-of-service (DoS) condition. Exploitation requires write access to the local repository's .git directory, it order to create or alter existing .idx files. This issue has been patched in version 5.17.1.

Do I need to act?

0.01% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.0/10 Medium

LOCAL / LOW complexity

Affected Products (1)

Go-Git

Affected Vendors

Go-Git Project

References (2)

Product https://github.com/go-git/go-git/releases/tag/v5.17.1

Vendor Advisory https://github.com/go-git/go-git/security/advisories/GHSA-jhf3-xxhw-2wpp

/ 100

low-risk

Severity 17/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal