CVE-2026-44740
go-billy: Lack of depth and cycle detection in symlink resolution may lead to infinite loops and resource exhaustion
Description
### Impact Multiple components may improperly handle crafted or malformed input, resulting in panics, infinite loops, uncontrolled recursion, or excessive resource consumption. These issues arise from insufficient validation and missing safety mechanisms such as cycle detection, recursion limits, or defensive handling of unexpected states when processing untrusted repository data and filesystem structures. ### Patches Users should upgrade to a patched version in order to mitigate this vulnerability. Versions prior to `v5` are likely to be affected, users are recommended to upgrade to a supported `go-billy` version. ### Credits Thanks to @faran66 for finding and reporting this issue privately to the go-git project. 🙇
How to fix CVE-2026-44740
To remediate CVE-2026-44740, upgrade the affected package to a fixed version below.
- —no fix listed
- —no fix listed
- —upgrade to 5.9.0 or later
- —upgrade to 6.0.0-alpha.1 or later
Is CVE-2026-44740 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- from 0
- from 0
- from 0, < 5.9.0
- from 0, < 6.0.0-alpha.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |