PatchSiren cyber security CVE debrief
CVE-2026-47734 jelmer CVE debrief
CVE-2026-47734 is a MEDIUM-severity vulnerability in Dulwich, a pure-Python implementation of Git file formats and protocols. The issue allows a client with push access to cause a denial of service by pushing a crafted thin pack that declares a huge dest_size, leading to excessive memory allocation. This vulnerability affects operators running a Dulwich-based Git server that exposes git-receive-pack. The issue is patched in Dulwich version 1.2.5.
- Vendor
- jelmer
- Product
- dulwich
- CVSS
- MEDIUM 5.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-11
Who should care
Operators running a Dulwich-based Git server that exposes git-receive-pack, particularly those who accept pushes from untrusted clients.
Technical summary
A client with push access can push a tiny crafted thin pack (~174 bytes) with a delta header declaring a huge dest_size. When Dulwich ingests it via add_thin_pack / apply_delta, it allocates hundreds of MB of memory based on the attacker-controlled size, with no relation to the actual bytes received.
Defensive priority
High
Recommended defensive actions
- Upgrade to Dulwich 1.2.5 or later.
- Set receive.maxInputSize in the server's repository config to a sane bound for the environment.
- Restrict dulwich-receive-pack (push) access to trusted, authenticated clients only.
- Disable dulwich-receive-pack on servers that only need to serve fetches.
- Run the server under an OS-level memory limit (e.g., ulimit, cgroups/MemoryMax, or a container memory limit).
Evidence notes
The vulnerability is patched in Dulwich version 1.2.5. Users should upgrade and set receive.maxInputSize in their server's repository config.
Official resources
CVE-2026-47734 was published on 2026-06-10T23:16:48.807Z and modified on 2026-06-11T15:21:07.370Z.