#VU112639 Buffer overflow in Git - CVE-2025-48386
Vulnerability identifier: #VU112639
Vulnerability risk: High
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID:
CWE-ID:
CWE-119
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Git
Client/Desktop applications /
Software for system administration
Vendor: Git
Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in wincred credential helper. The wincred credential helper uses a static buffer (target) as a unique key for storing and comparing against internal storage. This credential helper does not properly bounds check the available space remaining in the buffer before appending to it with wcsncat(), leading to potential buffer overflows.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Git: 2.43.0, 2.43.1, 2.43.2, 2.43.3, 2.43.4, 2.43.5, 2.43.6, 2.44.0, 2.44.1, 2.44.2, 2.44.3, 2.45.0, 2.45.1, 2.45.2, 2.45.3, 2.46.0, 2.46.1, 2.46.2, 2.46.3, 2.47.0, 2.47.1, 2.47.2, 2.48.0, 2.48.1, 2.49.0, 2.50.0
External links
https://github.com/git/git/security/advisories/GHSA-4v56-3xvj-xvfr
https://lore.kernel.org/git/xmqq5xg2wrd1.fsf@gitster.g/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
