CVE-2026-44740
Description
Billy is an interface filesystem abstraction for Go. Prior to versions 5.9.0 and 6.0.0-alpha.1, multiple components may improperly handle crafted or malformed input, resulting in panics, infinite loops, uncontrolled recursion, or excessive resource consumption. These issues arise from insufficient validation and missing safety mechanisms such as cycle detection, recursion limits, or defensive handling of unexpected states when processing untrusted repository data and filesystem structures. This issue has been patched in versions 5.9.0 and 6.0.0-alpha.1.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
CVE-2026-44740 NameCVE-2026-44740 DescriptionBilly is an interface filesystem abstraction for Go. Prior to versions ... SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) Vulnerable and fixed packages The table below lists information on source packages. Sourceโฆ
CVE-2026-44740
| Name | CVE-2026-44740 |
| Description | Billy is an interface filesystem abstraction for Go. Prior to versions ... |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| golang-github-go-git-go-billy (PTS) | bookworm | 5.3.1-3 | vulnerable |
| trixie | 5.5.0-1 | vulnerable | |
| forky, sid | 5.8.0-1 | vulnerable | |
| golang-github-go-git-go-billy-v6 (PTS) | forky | 6~git20260226.45bd095-2 | vulnerable |
| sid | 6.0.0~alpha.1-2 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| golang-github-go-git-go-billy | source | (unstable) | (unfixed) | |||
| golang-github-go-git-go-billy-v6 | source | (unstable) | (unfixed) |
Notes
https://github.com/go-git/go-billy/security/advisories/GHSA-m3xc-h892-ggx6
Apply commands
https://github.com/go-git/go-billy/security/advisories/GHSA-m3xc-h892-ggx6OS impact
Debian Affected 4 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Affected | โ |
| sid | Affected | โ |
| forky | Affected | โ |
| bookworm | Affected | โ |
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | โ |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Go | github.com/go-git/go-billy/v5 | <5.9.0 | 5.9.0 |
| Go | github.com/go-git/go-billy/v6 | <6.0.0-alpha.1 | 6.0.0-alpha.1 |
| GO | github.com/go-git/go-billy/v6 | < 6.0.0-alpha.1 | 6.0.0-alpha.1 |
| GO | github.com/go-git/go-billy/v5 | < 5.9.0 | 5.9.0 |
References
- https://github.com/go-git/go-billy/security/advisories/GHSA-m3xc-h892-ggx6
- https://github.com/go-git/go-billy
- https://github.com/go-git/go-billy/releases/tag/v5.9.0
- https://github.com/go-git/go-billy/releases/tag/v6.0.0-alpha.1
- https://github.com/advisories/GHSA-m3xc-h892-ggx6
- https://security-tracker.debian.org/tracker/CVE-2026-44740
- https://www.suse.com/security/cve/CVE-2026-44740.html
CWEs
CWE-674 CWE-835
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.