CVE-2026-44740

EUVD-2026-33663

01.06.2026, 17:17

Billy is an interface filesystem abstraction for Go. Prior to versions 5.9.0 and 6.0.0-alpha.1, multiple components may improperly handle crafted or malformed input, resulting in panics, infinite loops, uncontrolled recursion, or excessive resource consumption. These issues arise from insufficient validation and missing safety mechanisms such as cycle detection, recursion limits, or defensive handling of unexpected states when processing untrusted repository data and filesystem structures. This issue has been patched in versions 5.9.0 and 6.0.0-alpha.1.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.5 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Debian Releases

Debian Product

Codename

golang-github-go-git-go-billy

bookworm	vulnerable
forky	vulnerable
sid	vulnerable
trixie	vulnerable

golang-github-go-git-go-billy-v6

forky	vulnerable
sid	vulnerable

Common Weakness Enumeration

CWE-674 - Uncontrolled Recursion
The product does not properly control the amount of recursion which takes place, consuming excessive resources, such as allocated memory or the program stack.

References

https://github.com/go-git/go-billy/releases/tag/v5.9.0

https://github.com/go-git/go-billy/releases/tag/v6.0.0-alpha.1

https://github.com/go-git/go-billy/security/advisories/GHSA-m3xc-h892-ggx6