vulnerability
Ubuntu: USN-8088-1 (CVE-2026-25934): go-git vulnerabilities
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 4 | (AV:N/AC:M/Au:N/C:N/I:P/A:N) | Feb 9, 2026 | Mar 13, 2026 | Mar 27, 2026 |
Description
go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not properly verified. This resulted in go-git potentially consuming corrupted files, which would likely result in unexpected errors such as object not found. For context, clients fetch packfiles from upstream Git servers. Those files contain a checksum of their contents, so that clients can perform integrity checks before consuming it. The pack indexes (.idx) are generated locally by go-git, or the git cli, when new .pack files are received and processed. The integrity checks for both files were not being verified correctly. This vulnerability is fixed in 5.16.5.
Solutions
References
- CVE-2026-25934
- https://attackerkb.com/topics/CVE-2026-25934
- CWE-354
- EUVD-EUVD-2026-6247
- UBUNTU-USN-8088-1
- https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-6247
- https://github.com/go-git/go-git/releases/tag/v5.16.5
- https://github.com/go-git/go-git/security/advisories/GHSA-37cx-329c-33x3
- https://ubuntu.com/security/notices/USN-8088-1
- https://www.cve.org/CVERecord?id=CVE-2026-25934
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.