VYPR
Low severity2.8NVD Advisory· Published Mar 31, 2026· Updated Apr 2, 2026

CVE-2026-33762

CVE-2026-33762

Description

go-git is an extensible git implementation library written in pure Go. Prior to version 5.17.1, go-git’s index decoder for format version 4 fails to validate the path name prefix length before applying it to the previously decoded path name. A maliciously crafted index file can trigger an out-of-bounds slice operation, resulting in a runtime panic during normal index parsing. This issue only affects Git index format version 4. Earlier formats (go-git supports only v2 and v3) are not vulnerable to this issue. This issue has been patched in version 5.17.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/go-git/go-git/v5Go
< 5.17.15.17.1

Affected products

295

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.