Description

go-git is an extensible git implementation library written in pure Go. Prior to version 5.17.1, go-git’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing. This issue only affects Git index format version 4. Earlier formats (go-git supports only v2 and v3) are not vulnerable to this issue. This issue has been patched in version 5.17.1.

INFO

Published Date :

2026-03-31T13:47:42.378Z

Last Modified :

2026-03-31T18:53:08.221Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-33762 vulnerability.

Vendors Products
Go-git
  • Go-git
Go-git Project
  • Go-git
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33762.

URL Resource
https://github.com/go-git/go-git/releases/tag/v5.17.1 cve-icon cve-icon cve-icon
https://github.com/go-git/go-git/security/advisories/GHSA-gm2x-2g9h-ccm8 cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2026-33762 cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-33762 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact