CVE-2026-33762 — Improper Validation of Array Index in Go-git

CWE-129 — Improper Validation of Array Index CWE-1284 — Improper Validation of Specified Quantity in Input59 documents7 sources

Severity

2.8LOWNVD

EPSS

0.0%

top 97.69%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Go-git Github.com Go-git Go-git V5 Go-git Project Go-git +1 more

Timeline

PublishedMar 31

Latest updateApr 7

Description

go-git is an extensible git implementation library written in pure Go. Prior to version 5.17.1, go-git’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing. This issue only affects Git index format version 4. Earlier formats (go-git supports only v2 and v3) are not vulnerable t…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:LExploitability: 1.3 | Impact: 1.4

Affected Packages4 packages

▶CVEListV5go-git/go-git< 5.17.1

▶NVDgo-git_project/go-git< 5.17.1

▶Gogithub.com/go-git_go-git_v5< 5.17.1

▶debiandebian/golang-github-go-git-go-git

🔴Vulnerability Details

OSV

Missing validation decoding Index v4 files leads to panic in github.com/go-git/go-git↗2026-04-07

▶

OSV

CVE-2026-33762: go-git is an extensible git implementation library written in pure Go↗2026-03-31

▶

GHSA

go-git missing validation decoding Index v4 files leads to panic↗2026-03-30

▶

OSV

go-git missing validation decoding Index v4 files leads to panic↗2026-03-30

▶

📋Vendor Advisories

Red Hat

github.com/go-git/go-git/v5: go-git: Denial of Service via crafted Git index file↗2026-03-31

▶

Debian

CVE-2026-33762: golang-github-go-git-go-git - go-git is an extensible git implementation library written in pure Go. Prior to ...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-20883 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-28375 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-27137 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-20800 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-23992 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

💬Community

Bugzilla

CVE-2026-33762 trivy: go-git: Denial of Service via crafted Git index file [fedora-all]↗2026-04-02

▶

Bugzilla

CVE-2026-33762 vagrant: go-git: Denial of Service via crafted Git index file [fedora-all]↗2026-04-02

▶