CVE-2026-44740: CWE-674: Uncontrolled Recursion in go-git go-billy
Billy is an interface filesystem abstraction for Go. Prior to versions 5.9.0 and 6.0.0-alpha.1, multiple components may improperly handle crafted or malformed input, resulting in panics, infinite loops, uncontrolled recursion, or excessive resource consumption. These issues arise from insufficient validation and missing safety mechanisms such as cycle detection, recursion limits, or defensive handling of unexpected states when processing untrusted repository data and filesystem structures. This issue has been patched in versions 5.9.0 and 6.0.0-alpha.1.
AI Analysis
Technical Summary
CVE-2026-44740 affects the go-billy filesystem abstraction used in the go-git project. Multiple components in versions prior to 5.9.0 and 6.0.0-alpha.1 improperly handle crafted or malformed input, leading to uncontrolled recursion, infinite loops, panics, or excessive resource consumption. These problems stem from insufficient input validation and lack of defensive programming safeguards such as cycle detection and recursion limits when processing untrusted repository data and filesystem structures. The vulnerability impacts availability but does not affect confidentiality or integrity. The issue has been patched in the specified versions.
Potential Impact
Exploitation of this vulnerability can cause denial of service conditions through application crashes, infinite loops, or resource exhaustion. There is no indication of impact on confidentiality or integrity. No known exploits are reported in the wild. The CVSS score of 6.5 reflects a medium severity primarily due to availability impact.
Mitigation Recommendations
A fix is available in go-billy versions 5.9.0 and 6.0.0-alpha.1. Users should upgrade to these or later versions to remediate the vulnerability. Since this is a library, ensure that dependent projects update their go-billy dependency accordingly. Patch status is confirmed by the vendor advisory embedded in the description. No additional mitigations are specified.
CVE-2026-44740: CWE-674: Uncontrolled Recursion in go-git go-billy
Description
Billy is an interface filesystem abstraction for Go. Prior to versions 5.9.0 and 6.0.0-alpha.1, multiple components may improperly handle crafted or malformed input, resulting in panics, infinite loops, uncontrolled recursion, or excessive resource consumption. These issues arise from insufficient validation and missing safety mechanisms such as cycle detection, recursion limits, or defensive handling of unexpected states when processing untrusted repository data and filesystem structures. This issue has been patched in versions 5.9.0 and 6.0.0-alpha.1.
CVSS v3.1
Score 6.5medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-44740 affects the go-billy filesystem abstraction used in the go-git project. Multiple components in versions prior to 5.9.0 and 6.0.0-alpha.1 improperly handle crafted or malformed input, leading to uncontrolled recursion, infinite loops, panics, or excessive resource consumption. These problems stem from insufficient input validation and lack of defensive programming safeguards such as cycle detection and recursion limits when processing untrusted repository data and filesystem structures. The vulnerability impacts availability but does not affect confidentiality or integrity. The issue has been patched in the specified versions.
Potential Impact
Exploitation of this vulnerability can cause denial of service conditions through application crashes, infinite loops, or resource exhaustion. There is no indication of impact on confidentiality or integrity. No known exploits are reported in the wild. The CVSS score of 6.5 reflects a medium severity primarily due to availability impact.
Mitigation Recommendations
A fix is available in go-billy versions 5.9.0 and 6.0.0-alpha.1. Users should upgrade to these or later versions to remediate the vulnerability. Since this is a library, ensure that dependent projects update their go-billy dependency accordingly. Patch status is confirmed by the vendor advisory embedded in the description. No additional mitigations are specified.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-07T18:04:17.310Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a1dbba3e29bf47b501c579e
Added to database: 6/1/2026, 5:04:35 PM
Last enriched: 6/1/2026, 5:21:03 PM
Last updated: 6/2/2026, 7:13:18 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.