VIR Vulnerability Intelligence Relay

CVE-2026-45022

high
Published 2026-05-27 · Modified 2026-05-11
CVSS v3
CVSS v2
VIR risk
8.0

Description

go-git is an extensible git implementation library written in pure Go. Prior to 5.19.0 and 6.0.0-alpha.3, go-git may parse malformed Git objects in a way that differs from upstream Git. When commit or tag objects contain ambiguous or malformed headers, go-git’s decoded representation may expose values differently from how Git itself would interpret or reject the same object. Additionally, go-git’s commit signing and verification logic operates over commit data reconstructed from go-git’s parsed representation rather than the original raw object bytes. As a result, go-git may sign or verify a commit payload that is not byte-for-byte equivalent to the object stored in the repository. This can cause a signature to appear valid for a commit whose displayed or effective metadata differs from the object that was intended to be signed. This vulnerability is fixed in 5.19.0 and 6.0.0-alpha.3.

Predictions

Exploit likelihood
20%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2026-45022

Mitigation details

Source: Debian Security Tracker · View original ↗ · DFSG

CVE-2026-45022 NameCVE-2026-45022 Descriptiongo-git is an extensible git implementation library written in pure Go. ... SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) Vulnerable and fixed packages The table below lists information on source packages. Source…

CVE-2026-45022

NameCVE-2026-45022
Descriptiongo-git is an extensible git implementation library written in pure Go. ...
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
golang-github-go-git-go-git (PTS)bookworm5.4.2-3vulnerable
trixie5.14.0-1vulnerable
forky5.17.1-1vulnerable
sid5.19.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
golang-github-go-git-go-gitsource(unstable)5.19.1-1

Notes

https://github.com/go-git/go-git/security/advisories/GHSA-389r-gv7p-r3rp

Home - Debian Security - Source (Git)

Apply commands

text fix
Notes
https://github.com/go-git/go-git/security/advisories/GHSA-389r-gv7p-r3rp

OS impact
OSVersionStatusFixed in
debian debianbookwormaffected
debian debianforkyaffected
debian debiansidfixed5.19.1-1
debian debiantrixieaffected

Package impact
EcosystemPackageVulnerableFixed
golang Gogithub.com/go-git/go-git/v6>=6.0.0-alpha.1,<6.0.0-alpha.36.0.0-alpha.3
golang Gogithub.com/go-git/go-git/v5<5.19.05.19.0
golang GOgithub.com/go-git/go-git/v5< 5.19.05.19.0
golang GOgithub.com/go-git/go-git/v6>= 6.0.0-alpha.1, <= 6.0.0-alpha.26.0.0-alpha.3

References

CWEs

CWE-180 CWE-345

Verify integrity in audit chain (admin only). AS-IS.