PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-44740 go-git CVE debrief

Billy is an interface filesystem abstraction for Go. Prior to versions 5.9.0 and 6.0.0-alpha.1, multiple components may improperly handle crafted or malformed input, resulting in panics, infinite loops, uncontrolled recursion, or excessive resource consumption. These issues arise from insufficient validation and missing safety mechanisms such as cycle detection, recursion limits, or defensive handling of unexpected states when processing untrusted repository data and filesystem structures. This issue has been patched in versions 5.9.0 and 6.0.0-alpha.1.

Vendor
go-git
Product
go-billy
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-01
Original CVE updated
2026-06-01
Advisory published
2026-06-01
Advisory updated
2026-06-01

Who should care

Organizations running applications that depend on the go-billy library, particularly those processing untrusted Git repositories or external filesystem data. Developers using go-git or other tools built on go-billy should prioritize patching.

Technical summary

The Billy Go library provides filesystem abstraction interfaces used by go-git and other Go applications. Multiple components in versions prior to 5.9.0 and 6.0.0-alpha.1 lack sufficient validation and safety mechanisms when processing filesystem structures. Missing defenses include cycle detection, recursion limits, and handling of unexpected states. An attacker able to supply crafted or malformed repository data or filesystem structures can trigger denial-of-service conditions including panics, infinite loops, uncontrolled recursion, and excessive resource consumption. The attack requires low privileges and is network-exploitable with low complexity per the CVSS vector. No confidentiality or integrity impact is assigned; availability impact is rated High.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade go-billy to version 5.9.0 or 6.0.0-alpha.1 or later.
  • Review applications using go-billy for exposure to untrusted repository data or filesystem structures.
  • Implement input validation and resource limits as defense-in-depth for filesystem operations processing external data.
  • Monitor for application panics or abnormal CPU/memory consumption that may indicate exploitation attempts.

Evidence notes

The CVE description identifies multiple components within the Billy Go filesystem abstraction library that fail to properly handle crafted or malformed input. The root causes are insufficient validation and missing safety mechanisms including cycle detection, recursion limits, and defensive handling of unexpected states. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) indicates a network-attackable, low-complexity vulnerability requiring low privileges that results in high availability impact. CWE-674 (Uncontrolled Recursion) and CWE-835 (Loop with Unreachable Exit Condition) are cited as primary weakness enumerations. The vulnerability status is listed as Deferred in NVD. Patches are available in releases v5.9.0 and v6.0.0-alpha.1 per GitHub Security Advisory GHSA-m3xc-h892-ggx6.

Official resources

2026-06-01T17:17:08.277Z