CVE-2026-44740
MEDIUMgo-billy < 5.9.0 - Symlink Resolution Resource Exhaustion
Title source: manualDescription
Billy is an interface filesystem abstraction for Go. Prior to versions 5.9.0 and 6.0.0-alpha.1, multiple components may improperly handle crafted or malformed input, resulting in panics, infinite loops, uncontrolled recursion, or excessive resource consumption. These issues arise from insufficient validation and missing safety mechanisms such as cycle detection, recursion limits, or defensive handling of unexpected states when processing untrusted repository data and filesystem structures. This issue has been patched in versions 5.9.0 and 6.0.0-alpha.1.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/go-git/go-billy/security/advisories/GHSA-m3xc-h892-ggx6
X_Refsource_Misc x_refsource_misc
https://github.com/go-git/go-billy/releases/tag/v5.9.0
X_Refsource_Misc x_refsource_misc
https://github.com/go-git/go-billy/releases/tag/v6.0.0-alpha.1
Scores
CVSS v3
6.5
EPSS
0.0029
EPSS Percentile
20.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-674
CWE-835
Status
published
Products (4)
go-git/go-billy
0 - 5.9.0Go
go-git/go-billy
0 - 6.0.0-alpha.1Go
go-git/go-billy
< 5.9.0
go-git/go-billy
< 6.0.0-alpha.1
Published
Jun 01, 2026
Tracked Since
Jun 01, 2026