Out-of-Bounds Slice Operation in go-git Git Library
CVE-2026-33762

2.8LOW

Key Information:

Vendor: Go-git
Status: Go-git
Vendor: CVE Published:; 31 March 2026

What is CVE-2026-33762?

The go-git library, a pure Go implementation for Git, contains a vulnerability in its index decoder for format version 4. Prior to version 5.17.1, this component fails to properly validate the path name prefix length when decoding. An attacker can exploit this issue by crafting a malicious index file, leading to an out-of-bounds slice operation that results in a runtime panic during normal index parsing. This vulnerability specifically impacts Git index format version 4, while earlier formats (v2 and v3) remain unaffected. Users are advised to upgrade to version 5.17.1 or later to mitigate this risk.

Affected Version(s)

go-git < 5.17.1

References

https://github.com/go-git/go-git/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/go-git/go-git/releases/tag/v5.17.1

x_refsource_MISC

CVSS V3.1

Score:

2.8

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 31, 2026
Vulnerability Reserved
Mar 23, 2026

CVE-2026-33762 Data

JSON

Go-git

What is CVE-2026-33762?

Affected Version(s)

References

CVSS V3.1

Timeline