CVE-2026-25934

Vulnerability

CVE-2026-25934

go-git/go-git: go-git: Data integrity issue due to improper verification of pack and index files

ecosystem: redhat:8, redhat:9

go-git is a highly extensible git implementation library written in pure Go. Prior to 5.16.5, a vulnerability was discovered in go-git whereby data integrity values for .pack and .idx files were not properly verified. This resulted in go-git potentially consuming corrupted files, which would likely result in unexpected errors such as object not found. For context, clients fetch packfiles from upstream Git servers. Those files contain a checksum of their contents, so that clients can perform integrity checks before consuming it. The pack indexes (.idx) are generated locally by go-git, or the git cli, when new .pack files are received and processed. The integrity checks for both files were not being verified correctly. This vulnerability is fixed in 5.16.5.

References

secalert@redhat.com: https://access.redhat.com/security/cve/CVE-2026-25934
secalert@redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2438332
secalert@redhat.com: https://github.com/go-git/go-git/releases/tag/v5.16.5
secalert@redhat.com: https://github.com/go-git/go-git/security/advisories/GHSA-37cx-329c-33x3
secalert@redhat.com: https://nvd.nist.gov/vuln/detail/CVE-2026-25934
secalert@redhat.com: https://www.cve.org/CVERecord?id=CVE-2026-25934

severityM

Moderate

type: vendor

source: secalert@redhat.com

CVSS3.1

4.3MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

AV	Network
AC	Low
PR	None
UI	Required
S	Not Changed
C	None
I	Low
A	None

source: secalert@redhat.com

　CWE

CWE-354

Improper Validation of Integrity Check Value

source: secalert@redhat.com

published: 2026-02-09 22:13:41

modified: 2026-02-11 19:46:55

Detection

redhat:8

CVE-2026-25934

redhat-vex

OR

unfixedFix deferred

grafana

package type: binary

type: version

unfixedFix deferred

grafana-azure-monitor

package type: binary

type: version

unfixedFix deferred

grafana-cloudwatch

package type: binary

type: version

unfixedFix deferred

grafana-elasticsearch

package type: binary

type: version

unfixedFix deferred

grafana-graphite

package type: binary

type: version

unfixedFix deferred

grafana-influxdb

package type: binary

type: version

unfixedFix deferred

grafana-loki

package type: binary

type: version

unfixedFix deferred

grafana-mssql

package type: binary

type: version

unfixedFix deferred

grafana-mysql

package type: binary

type: version

unfixedFix deferred

grafana-opentsdb

package type: binary

type: version

unfixedFix deferred

grafana-postgres

package type: binary

type: version

unfixedFix deferred

grafana-prometheus

package type: binary

type: version

unfixedFix deferred

grafana-selinux

package type: binary

type: version

unfixedFix deferred

grafana-stackdriver

package type: binary

type: version

unfixedFix deferred

grafana

package type: source

type: version

tag: rhel-8-including-unpatched:a6618379-c998-bcc2-6548-61c943711fea

redhat:9

CVE-2026-25934

redhat-vex

OR

unfixedFix deferred

grafana

package type: binary

type: version

unfixedFix deferred

grafana-selinux

package type: binary

type: version

unfixedFix deferred

grafana

package type: source

type: version

tag: rhel-9-including-unpatched:35be0af2-f489-8e50-61fe-e606604f5993

Data Sources

RedHat Enterprise Linux CSAF VEX
redhat-vex

FutureVuls|GitHub