Improper Validation of Array Index in go-git - CVE-2026-33762
Published: April 17, 2026
Vulnerability identifier: #VU126454
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-33762
CWE-ID: CWE-129
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: go-git
Affected software:
go-git
go-git
Detailed vulnerability description
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper validation of array index in the index decoder for format version 4 when parsing a crafted .git/index file. A local user can supply a specially crafted .git/index file to cause a denial of service.
User interaction is required during normal index parsing, and the issue can result in process termination if the application does not recover from panics.
How to mitigate CVE-2026-33762
Install security update from vendor's website.