CVE-2026-44740— go-billy: Lack of depth and cycle detection in symlink resolution may lead to infinite loops and resource exhaustion
Possible ATT&CK Techniques 1AI
T1496 · Resource HijackingGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-44740
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
go-billy: Lack of depth and cycle detection in symlink resolution may lead to infinite loops and resource exhaustion
Source: NVD (National Vulnerability Database)
Vulnerability Description
Billy is an interface filesystem abstraction for Go. Prior to versions 5.9.0 and 6.0.0-alpha.1, multiple components may improperly handle crafted or malformed input, resulting in panics, infinite loops, uncontrolled recursion, or excessive resource consumption. These issues arise from insufficient validation and missing safety mechanisms such as cycle detection, recursion limits, or defensive handling of unexpected states when processing untrusted repository data and filesystem structures. This issue has been patched in versions 5.9.0 and 6.0.0-alpha.1.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
未经控制的递归
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-44740
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-44740
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-44740 (1)
Vendor Pages for CVE-2026-44740 (2)
- 🔗 Release v5.9.0 · go-git/go-billy · GitHubx_refsource_MISC
- 🔗 Release v6.0.0-alpha.1 · go-git/go-billy · GitHubx_refsource_MISC
IV. Related Vulnerabilities
Same vendor: go-git
- CVE-2026-44973
Billy: Path traversal vulnerabilities - CVE-2026-45570
go-git: Improper single-quote escaping in go-git SSH transpo - CVE-2026-45571
go-git: Crafted repositories may modify main and submodule . - CVE-2026-45022
go-git: Improper parsing of specially crafted objects may le - CVE-2026-41506
go-git Credential leak via cross-host redirect in smart HTTP
Same weakness: CWE-674
- CVE-2026-40989
Self Routing guard bypassed via function composition - CVE-2026-42328
go-ipld-prime: DAG-CBOR and DAG-JSON decoders unbounded recu - CVE-2026-6936
IBM i is Affected by a Denial of Service Vulnerability [] - CVE-2026-44844
eml_parser: Recursion DoS via nested message/rfc822 attachme - CVE-2026-7453
WRL File Parsing Memory Exhaustion in Autodesk 3ds Max
V. Comments for CVE-2026-44740
No comments yet