{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33762", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T18:30:14.126Z", "datePublished": "2026-03-31T13:47:42.378Z", "dateUpdated": "2026-03-31T18:53:08.221Z"}, "containers": {"cna": {"title": "go-git: Missing validation decoding Index v4 files leads to panic", "problemTypes": [{"descriptions": [{"cweId": "CWE-129", "lang": "en", "description": "CWE-129: Improper Validation of Array Index", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 2.8, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/go-git/go-git/security/advisories/GHSA-gm2x-2g9h-ccm8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/go-git/go-git/security/advisories/GHSA-gm2x-2g9h-ccm8"}, {"name": "https://github.com/go-git/go-git/releases/tag/v5.17.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/go-git/go-git/releases/tag/v5.17.1"}], "affected": [{"vendor": "go-git", "product": "go-git", "versions": [{"version": "< 5.17.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T13:47:42.378Z"}, "descriptions": [{"lang": "en", "value": "go-git is an extensible git implementation library written in pure Go. Prior to version 5.17.1, go-git\u2019s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing. This issue only affects Git index format version 4. Earlier formats (go-git supports only v2 and v3) are not vulnerable to this issue. This issue has been patched in version 5.17.1."}], "source": {"advisory": "GHSA-gm2x-2g9h-ccm8", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T18:50:26.187250Z", "id": "CVE-2026-33762", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T18:53:08.221Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33762", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-31T18:50:26.187250Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T18:50:27.235Z"}}], "cna": {"title": "go-git: Missing validation decoding Index v4 files leads to panic", "source": {"advisory": "GHSA-gm2x-2g9h-ccm8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.8, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "go-git", "product": "go-git", "versions": [{"status": "affected", "version": "< 5.17.1"}]}], "references": [{"url": "https://github.com/go-git/go-git/security/advisories/GHSA-gm2x-2g9h-ccm8", "name": "https://github.com/go-git/go-git/security/advisories/GHSA-gm2x-2g9h-ccm8", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/go-git/go-git/releases/tag/v5.17.1", "name": "https://github.com/go-git/go-git/releases/tag/v5.17.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "go-git is an extensible git implementation library written in pure Go. Prior to version 5.17.1, go-git\u2019s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing. This issue only affects Git index format version 4. Earlier formats (go-git supports only v2 and v3) are not vulnerable to this issue. This issue has been patched in version 5.17.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-129", "description": "CWE-129: Improper Validation of Array Index"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T13:47:42.378Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33762", "state": "PUBLISHED", "dateUpdated": "2026-03-31T18:53:08.221Z", "dateReserved": "2026-03-23T18:30:14.126Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-31T13:47:42.378Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:go-git_project:go-git:*:*:*:*:*:go:*:*", "matchCriteriaId": "B23FA8A3-7368-4B78-B80A-9BCC2F012738", "versionEndExcluding": "5.17.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "go-git is an extensible git implementation library written in pure Go. Prior to version 5.17.1, go-git\u2019s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing. This issue only affects Git index format version 4. Earlier formats (go-git supports only v2 and v3) are not vulnerable to this issue. This issue has been patched in version 5.17.1."}], "id": "CVE-2026-33762", "lastModified": "2026-04-02T16:49:29.700", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 2.8, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-31T15:16:15.597", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/go-git/go-git/releases/tag/v5.17.1"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/go-git/go-git/security/advisories/GHSA-gm2x-2g9h-ccm8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-129"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.17.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "go-git", "source": "cna", "vendor": "go-git"}, "product": "go-git", "vendor": "go-git"}], "analysis": {"en": {"generated_at": "2026-03-31T15:51:16.308689+00:00", "value": {"mitigation_remediation": ["Upgrade the go\u2011git library to version 5.17.1 or later to apply the patch.", "If an upgrade is not feasible immediately, avoid loading index files that come from untrusted or external sources until the library is updated.", "Monitor application logs for panic exceptions that may indicate an attempt to exploit this vulnerability."], "summary": {"action": "Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability impacts the go\u2011git library prior to version 5.17.1. Only index files of format v4 are affected; earlier supported formats v2 and v3 are not vulnerable. Any application that imports or parses such a file will be exposed if it uses an affected library version.", "description_and_impact": "A flaw in the go\u2011git library\u2019s decoder for git index format version 4 allows a maliciously crafted index file to cause an out\u2011of\u2011bounds slice operation, resulting in a runtime panic during normal parsing. This crash terminates the application using go\u2011git, effectively denying service to legitimate users. The weakness is an integer bounds check error as catalogued by CWE\u2011129.", "risk_and_exploitability": "The CVSS score of 2.8 indicates a low severity. No EPSS score is publicly available and the issue is not listed in the CISA KEV catalog. The attack vector is inferred to involve supplying a crafted index file to an application that processes git repositories with go\u2011git, which could occur locally or from a remote source if the application downloads or receives untrusted repositories. Given the lack of publicly known exploits and the low CVSS, overall risk remains low, though any running instance parsing untrusted data could be disrupted."}}}}, "created": "2026-03-31T19:54:39.810117+00:00", "updated": "2026-03-31T20:38:33.763777+00:00", "vendors": ["go-git", "go-git$PRODUCT$go-git"]}