Vulnerability-Lookup

CVE-2026-42305 (GCVE-0-2026-42305)

Vulnerability from cvelistv5 – Published: 2026-06-10 21:55 – Updated: 2026-06-11 13:42

Title

Dulwich has an arbitrary file write via NTFS-hostile tree entries on Windows

Summary

Dulwich is a pure-Python implementation of the Git file formats and protocols. Versions starting with 0.10.0 and prior to 1.2.5 have an arbitrary file write leading to remote code execution when cloning or checking out a malicious Git repository on Windows. Dulwich's path-element validator accepted tree entries whose filenames contained bytes that Windows interprets as structural path syntax. Contributing configuration bugs made matters worse. The core.protectNTFS and core.protectHFS settings were looked up under a wrong option name and so user-set values were silently ignored, and core.protectNTFS only defaulted to true on Windows (Git upstream has defaulted it to true everywhere since CVE-2019-1353). Both have been corrected. Anyone who clones, fetches, or checks out an untrusted repository with Dulwich on Windows - either through the Dulwich CLI, porcelain.clone, or any downstream tool built on Dulwich - is impacted. POSIX clones are not directly exploitable (on POSIX \ is a literal filename byte), but a POSIX user can unknowingly propagate a malicious tree to Windows consumers via push or re-publication. This issue is fixed in Dulwich 1.2.5. Users should upgrade to 1.2.5 or later. There is no effective pre-patch workaround. On affected versions the core.protectNTFS configuration key was silently ignored, so setting it to true does not mitigate the issue. Users who cannot upgrade should avoid cloning, fetching, or checking out untrusted repositories with Dulwich on Windows. After upgrading the NTFS validator is on by default on every platform, so no additional configuration is required.

Severity

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

GitHub_M

References

4 references

URL	Tags
https://github.com/jelmer/dulwich/security/adviso…	x_refsource_CONFIRM
https://github.com/jelmer/dulwich/commit/49eb56e5…	x_refsource_MISC
https://github.com/jelmer/dulwich/commit/57efc4aa…	x_refsource_MISC
https://github.com/jelmer/dulwich/releases/tag/du…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
jelmer	dulwich	Affected: >= 0.10.0, < 1.2.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42305",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-11T13:42:25.959011Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-11T13:42:34.147Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "dulwich",
          "vendor": "jelmer",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.10.0, \u003c 1.2.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Dulwich is a pure-Python implementation of the Git file formats and protocols. Versions starting with 0.10.0 and prior to 1.2.5 have an arbitrary file write leading to remote code execution when cloning or checking out a malicious Git repository on Windows. Dulwich\u0027s path-element validator accepted tree entries whose filenames contained bytes that Windows interprets as structural path syntax. Contributing configuration bugs made matters worse. The core.protectNTFS and core.protectHFS settings were looked up under a wrong option name and so user-set values were silently ignored, and core.protectNTFS only defaulted to true on Windows (Git upstream has defaulted it to true everywhere since CVE-2019-1353). Both have been corrected. Anyone who clones, fetches, or checks out an untrusted repository with Dulwich on Windows - either through the Dulwich CLI, porcelain.clone, or any downstream tool built on Dulwich - is impacted. POSIX clones are not directly exploitable (on POSIX \\ is a literal filename byte), but a POSIX user can unknowingly propagate a malicious tree to Windows consumers via push or re-publication. This issue is fixed in Dulwich 1.2.5. Users should upgrade to 1.2.5 or later. There is no effective pre-patch workaround. On affected versions the core.protectNTFS configuration key was silently ignored, so setting it to true does not mitigate the issue. Users who cannot upgrade should avoid cloning, fetching, or checking out untrusted repositories with Dulwich on Windows. After upgrading the NTFS validator is on by default on every platform, so no additional configuration is required."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-10T21:55:30.942Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/jelmer/dulwich/security/advisories/GHSA-897w-fcg9-f6xj",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/jelmer/dulwich/security/advisories/GHSA-897w-fcg9-f6xj"
        },
        {
          "name": "https://github.com/jelmer/dulwich/commit/49eb56e51aad637fc23d54bf2a08cb42739b8290",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/jelmer/dulwich/commit/49eb56e51aad637fc23d54bf2a08cb42739b8290"
        },
        {
          "name": "https://github.com/jelmer/dulwich/commit/57efc4aa1581e038915a0fd79365be53b150f4a9",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/jelmer/dulwich/commit/57efc4aa1581e038915a0fd79365be53b150f4a9"
        },
        {
          "name": "https://github.com/jelmer/dulwich/releases/tag/dulwich-1.2.5",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/jelmer/dulwich/releases/tag/dulwich-1.2.5"
        }
      ],
      "source": {
        "advisory": "GHSA-897w-fcg9-f6xj",
        "discovery": "UNKNOWN"
      },
      "title": "Dulwich has an arbitrary file write via NTFS-hostile tree entries on Windows"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42305",
    "datePublished": "2026-06-10T21:55:30.942Z",
    "dateReserved": "2026-04-26T12:13:55.553Z",
    "dateUpdated": "2026-06-11T13:42:34.147Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-42305",
      "date": "2026-06-11",
      "epss": "0.00223",
      "percentile": "0.45162"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-42305\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-06-10T23:16:46.113\",\"lastModified\":\"2026-06-11T15:21:07.370\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Dulwich is a pure-Python implementation of the Git file formats and protocols. Versions starting with 0.10.0 and prior to 1.2.5 have an arbitrary file write leading to remote code execution when cloning or checking out a malicious Git repository on Windows. Dulwich\u0027s path-element validator accepted tree entries whose filenames contained bytes that Windows interprets as structural path syntax. Contributing configuration bugs made matters worse. The core.protectNTFS and core.protectHFS settings were looked up under a wrong option name and so user-set values were silently ignored, and core.protectNTFS only defaulted to true on Windows (Git upstream has defaulted it to true everywhere since CVE-2019-1353). Both have been corrected. Anyone who clones, fetches, or checks out an untrusted repository with Dulwich on Windows - either through the Dulwich CLI, porcelain.clone, or any downstream tool built on Dulwich - is impacted. POSIX clones are not directly exploitable (on POSIX \\\\ is a literal filename byte), but a POSIX user can unknowingly propagate a malicious tree to Windows consumers via push or re-publication. This issue is fixed in Dulwich 1.2.5. Users should upgrade to 1.2.5 or later. There is no effective pre-patch workaround. On affected versions the core.protectNTFS configuration key was silently ignored, so setting it to true does not mitigate the issue. Users who cannot upgrade should avoid cloning, fetching, or checking out untrusted repositories with Dulwich on Windows. After upgrading the NTFS validator is on by default on every platform, so no additional configuration is required.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"references\":[{\"url\":\"https://github.com/jelmer/dulwich/commit/49eb56e51aad637fc23d54bf2a08cb42739b8290\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/jelmer/dulwich/commit/57efc4aa1581e038915a0fd79365be53b150f4a9\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/jelmer/dulwich/releases/tag/dulwich-1.2.5\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/jelmer/dulwich/security/advisories/GHSA-897w-fcg9-f6xj\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"Dulwich has an arbitrary file write via NTFS-hostile tree entries on Windows\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-22\", \"lang\": \"en\", \"description\": \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"HIGH\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"REQUIRED\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/jelmer/dulwich/security/advisories/GHSA-897w-fcg9-f6xj\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/jelmer/dulwich/security/advisories/GHSA-897w-fcg9-f6xj\"}, {\"name\": \"https://github.com/jelmer/dulwich/commit/49eb56e51aad637fc23d54bf2a08cb42739b8290\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/jelmer/dulwich/commit/49eb56e51aad637fc23d54bf2a08cb42739b8290\"}, {\"name\": \"https://github.com/jelmer/dulwich/commit/57efc4aa1581e038915a0fd79365be53b150f4a9\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/jelmer/dulwich/commit/57efc4aa1581e038915a0fd79365be53b150f4a9\"}, {\"name\": \"https://github.com/jelmer/dulwich/releases/tag/dulwich-1.2.5\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/jelmer/dulwich/releases/tag/dulwich-1.2.5\"}], \"affected\": [{\"vendor\": \"jelmer\", \"product\": \"dulwich\", \"versions\": [{\"version\": \"\u003e= 0.10.0, \u003c 1.2.5\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-06-10T21:55:30.942Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Dulwich is a pure-Python implementation of the Git file formats and protocols. Versions starting with 0.10.0 and prior to 1.2.5 have an arbitrary file write leading to remote code execution when cloning or checking out a malicious Git repository on Windows. Dulwich\u0027s path-element validator accepted tree entries whose filenames contained bytes that Windows interprets as structural path syntax. Contributing configuration bugs made matters worse. The core.protectNTFS and core.protectHFS settings were looked up under a wrong option name and so user-set values were silently ignored, and core.protectNTFS only defaulted to true on Windows (Git upstream has defaulted it to true everywhere since CVE-2019-1353). Both have been corrected. Anyone who clones, fetches, or checks out an untrusted repository with Dulwich on Windows - either through the Dulwich CLI, porcelain.clone, or any downstream tool built on Dulwich - is impacted. POSIX clones are not directly exploitable (on POSIX \\\\ is a literal filename byte), but a POSIX user can unknowingly propagate a malicious tree to Windows consumers via push or re-publication. This issue is fixed in Dulwich 1.2.5. Users should upgrade to 1.2.5 or later. There is no effective pre-patch workaround. On affected versions the core.protectNTFS configuration key was silently ignored, so setting it to true does not mitigate the issue. Users who cannot upgrade should avoid cloning, fetching, or checking out untrusted repositories with Dulwich on Windows. After upgrading the NTFS validator is on by default on every platform, so no additional configuration is required.\"}], \"source\": {\"advisory\": \"GHSA-897w-fcg9-f6xj\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-42305\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-11T13:42:25.959011Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-11T13:42:30.383Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-42305\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2026-04-26T12:13:55.553Z\", \"datePublished\": \"2026-06-10T21:55:30.942Z\", \"dateUpdated\": \"2026-06-11T13:42:34.147Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-42305

Vulnerability from fkie_nvd - Published: 2026-06-10 23:16 - Updated: 2026-06-11 15:21

Severity

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/jelmer/dulwich/commit/49eb56e51aad637fc23d54bf2a08cb42739b8290
	security-advisories@github.com	https://github.com/jelmer/dulwich/commit/57efc4aa1581e038915a0fd79365be53b150f4a9
	security-advisories@github.com	https://github.com/jelmer/dulwich/releases/tag/dulwich-1.2.5
	security-advisories@github.com	https://github.com/jelmer/dulwich/security/advisories/GHSA-897w-fcg9-f6xj

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Dulwich is a pure-Python implementation of the Git file formats and protocols. Versions starting with 0.10.0 and prior to 1.2.5 have an arbitrary file write leading to remote code execution when cloning or checking out a malicious Git repository on Windows. Dulwich\u0027s path-element validator accepted tree entries whose filenames contained bytes that Windows interprets as structural path syntax. Contributing configuration bugs made matters worse. The core.protectNTFS and core.protectHFS settings were looked up under a wrong option name and so user-set values were silently ignored, and core.protectNTFS only defaulted to true on Windows (Git upstream has defaulted it to true everywhere since CVE-2019-1353). Both have been corrected. Anyone who clones, fetches, or checks out an untrusted repository with Dulwich on Windows - either through the Dulwich CLI, porcelain.clone, or any downstream tool built on Dulwich - is impacted. POSIX clones are not directly exploitable (on POSIX \\ is a literal filename byte), but a POSIX user can unknowingly propagate a malicious tree to Windows consumers via push or re-publication. This issue is fixed in Dulwich 1.2.5. Users should upgrade to 1.2.5 or later. There is no effective pre-patch workaround. On affected versions the core.protectNTFS configuration key was silently ignored, so setting it to true does not mitigate the issue. Users who cannot upgrade should avoid cloning, fetching, or checking out untrusted repositories with Dulwich on Windows. After upgrading the NTFS validator is on by default on every platform, so no additional configuration is required."
    }
  ],
  "id": "CVE-2026-42305",
  "lastModified": "2026-06-11T15:21:07.370",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-06-10T23:16:46.113",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/jelmer/dulwich/commit/49eb56e51aad637fc23d54bf2a08cb42739b8290"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/jelmer/dulwich/commit/57efc4aa1581e038915a0fd79365be53b150f4a9"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/jelmer/dulwich/releases/tag/dulwich-1.2.5"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/jelmer/dulwich/security/advisories/GHSA-897w-fcg9-f6xj"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-897W-FCG9-F6XJ

Vulnerability from github – Published: 2026-05-28 22:28 – Updated: 2026-06-11 14:05

Summary

Dulwich has an arbitrary file write via NTFS-hostile tree entries on Windows

Details

Impact

Arbitrary file write leading to remote code execution when cloning or checking out a malicious Git repository on Windows.

Dulwich's path-element validator accepted tree entries whose filenames contained bytes that Windows interprets as structural path syntax:

\ — the Windows path separator. A single tree entry named .git\hooks\pre-commit.exe was treated as one valid filename on POSIX but materialized as nested directories .git/hooks/pre-commit.exe on Windows, planting a file inside the victim's .git directory. Git for Windows then executes that hook on the next git commit, giving the attacker arbitrary code execution in the victim's user context. The same primitive can be used with ..\outside.txt to escape the work tree.
: — the NTFS alternate-data-stream marker. .git::$INDEX_ALLOCATION writes directly into the victim's .git entity, bypassing the .git-as-a-directory check.
git~ — NTFS 8.3 short-name aliases of .git. Only the literal git~1 was rejected; git~2, git~10, GIT~1, etc. were all accepted.

Contributing configuration bugs made matters worse. The core.protectNTFS and core.protectHFS settings were looked up under a wrong option name and so user-set values were silently ignored, and core.protectNTFS only defaulted to true on Windows (Git upstream has defaulted it to true everywhere since CVE-2019-1353). Both have been corrected.

Anyone who clones, fetches, or checks out an untrusted repository with Dulwich on Windows - either through the Dulwich CLI, porcelain.clone, or any downstream tool built on Dulwich - is impacted. POSIX clones are not directly exploitable (on POSIX \ is a literal filename byte), but a POSIX user can unknowingly propagate a malicious tree to Windows consumers via push or re-publication.

Patches

Fixed in Dulwich 1.2.5. Users should upgrade to 1.2.5 or later.

The fix lives in three commits:

Read core.protectNTFS / core.protectHFS under their documented option names so user-set values are honored.
Default core.protectNTFS to true on every platform, matching Git's PROTECT_NTFS_DEFAULT=1.
Reject \, :, and all git~ 8.3 short-name forms in validate_path_element_ntfs.

Workarounds

There is no effective pre-patch workaround. On affected versions the core.protectNTFS configuration key was silently ignored, so setting it to true does not mitigate the issue. Users who cannot upgrade should avoid cloning, fetching, or checking out untrusted repositories with Dulwich on Windows. After upgrading the NTFS validator is on by default on every platform, so no additional configuration is required.

Resources

Git upstream path validation: https://github.com/git/git/blob/master/path.c (is_ntfs_dotgit, verify_path)
CVE-2019-1353 — the Git upstream vulnerability that established core.protectNTFS = true as the cross-platform default
CVE-2019-1354 — backslash-in-tree-path class in Git, analogous to this issue

Severity

8.8 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "dulwich"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.10.0"
            },
            {
              "fixed": "1.2.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42305"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-28T22:28:06Z",
    "nvd_published_at": "2026-06-10T23:16:46Z",
    "severity": "HIGH"
  },
  "details": "## Impact\n\nArbitrary file write leading to remote code execution when cloning or checking out a malicious Git repository on Windows.\n\nDulwich\u0027s path-element validator accepted tree entries whose filenames contained bytes that Windows interprets as structural path syntax:\n\n  - \\ \u2014 the Windows path separator. A single tree entry named .git\\hooks\\pre-commit.exe was treated as one valid filename on POSIX but materialized as nested directories .git/hooks/pre-commit.exe on Windows, planting a file inside the victim\u0027s .git directory. Git for Windows then\n  executes that hook on the next git commit, giving the attacker arbitrary code execution in the victim\u0027s user context. The same primitive can be used with ..\\outside.txt to escape the work tree.\n  - : \u2014 the NTFS alternate-data-stream marker. .git::$INDEX_ALLOCATION writes directly into the victim\u0027s .git entity, bypassing the .git-as-a-directory check.\n  - git~\u003cdigits\u003e \u2014 NTFS 8.3 short-name aliases of .git. Only the literal git~1 was rejected; git~2, git~10, GIT~1, etc. were all accepted.\n\nContributing configuration bugs made matters worse. The core.protectNTFS and core.protectHFS settings were looked up under a wrong option name and so user-set values were silently ignored, and core.protectNTFS only defaulted to true on Windows (Git upstream has defaulted it to true everywhere since CVE-2019-1353). Both have been corrected.\n\nAnyone who clones, fetches, or checks out an untrusted repository with Dulwich on Windows - either through the Dulwich CLI, porcelain.clone, or any downstream tool built on Dulwich - is impacted. POSIX clones are not directly exploitable (on POSIX \\ is a literal filename byte), but a POSIX user can unknowingly propagate a malicious tree to Windows consumers via push or re-publication.\n\n## Patches\n\nFixed in Dulwich 1.2.5. Users should upgrade to 1.2.5 or later.\n\nThe fix lives in three commits:\n\n- Read core.protectNTFS / core.protectHFS under their documented option names so user-set values are honored.\n- Default core.protectNTFS to true on every platform, matching Git\u0027s PROTECT_NTFS_DEFAULT=1.\n- Reject \\, :, and all git~\u003cdigits\u003e 8.3 short-name forms in validate_path_element_ntfs.\n\n## Workarounds\n\nThere is no effective pre-patch workaround. On affected versions the core.protectNTFS configuration key was silently ignored, so setting it to true does not mitigate the issue. Users who cannot upgrade should avoid cloning, fetching, or checking out untrusted repositories with Dulwich on Windows. After upgrading the NTFS validator is on by default on every platform, so no additional configuration is required.\n\n## Resources\n\n- Git upstream path validation: https://github.com/git/git/blob/master/path.c (is_ntfs_dotgit, verify_path)\n- CVE-2019-1353 \u2014 the Git upstream vulnerability that established core.protectNTFS = true as the cross-platform default\n- CVE-2019-1354 \u2014 backslash-in-tree-path class in Git, analogous to this issue",
  "id": "GHSA-897w-fcg9-f6xj",
  "modified": "2026-06-11T14:05:10Z",
  "published": "2026-05-28T22:28:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jelmer/dulwich/security/advisories/GHSA-897w-fcg9-f6xj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42305"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jelmer/dulwich/commit/49eb56e51aad637fc23d54bf2a08cb42739b8290"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jelmer/dulwich/commit/57efc4aa1581e038915a0fd79365be53b150f4a9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jelmer/dulwich"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jelmer/dulwich/releases/tag/dulwich-1.2.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Dulwich has an arbitrary file write via NTFS-hostile tree entries on Windows"
}

OPENSUSE-SU-2026:10900-1

Vulnerability from csaf_opensuse - Published: 2026-05-29 00:00 - Updated: 2026-05-29 00:00

Summary

python311-dulwich-1.2.5-1.1 on GA media

Severity

Moderate

Notes

Title of the patch: python311-dulwich-1.2.5-1.1 on GA media

Description of the patch: These are all security issues fixed in the python311-dulwich-1.2.5-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2026-10900

CVE-2026-42305

Affected products

Recommended 12 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2026-42563

Affected products

Recommended 12 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2026-47712

Affected products

Recommended 12 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

References

8 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://www.suse.com/security/cve/CVE-2026-42305/	self
https://www.suse.com/security/cve/CVE-2026-42563/	self
https://www.suse.com/security/cve/CVE-2026-47712/	self
https://www.suse.com/security/cve/CVE-2026-42305	external
https://www.suse.com/security/cve/CVE-2026-42563	external
https://www.suse.com/security/cve/CVE-2026-47712	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "python311-dulwich-1.2.5-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the python311-dulwich-1.2.5-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2026-10900",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10900-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-42305 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-42305/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-42563 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-42563/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-47712 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-47712/"
      }
    ],
    "title": "python311-dulwich-1.2.5-1.1 on GA media",
    "tracking": {
      "current_release_date": "2026-05-29T00:00:00Z",
      "generator": {
        "date": "2026-05-29T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2026:10900-1",
      "initial_release_date": "2026-05-29T00:00:00Z",
      "revision_history": [
        {
          "date": "2026-05-29T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-dulwich-1.2.5-1.1.aarch64",
                "product": {
                  "name": "python311-dulwich-1.2.5-1.1.aarch64",
                  "product_id": "python311-dulwich-1.2.5-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python313-dulwich-1.2.5-1.1.aarch64",
                "product": {
                  "name": "python313-dulwich-1.2.5-1.1.aarch64",
                  "product_id": "python313-dulwich-1.2.5-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python314-dulwich-1.2.5-1.1.aarch64",
                "product": {
                  "name": "python314-dulwich-1.2.5-1.1.aarch64",
                  "product_id": "python314-dulwich-1.2.5-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-dulwich-1.2.5-1.1.ppc64le",
                "product": {
                  "name": "python311-dulwich-1.2.5-1.1.ppc64le",
                  "product_id": "python311-dulwich-1.2.5-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python313-dulwich-1.2.5-1.1.ppc64le",
                "product": {
                  "name": "python313-dulwich-1.2.5-1.1.ppc64le",
                  "product_id": "python313-dulwich-1.2.5-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python314-dulwich-1.2.5-1.1.ppc64le",
                "product": {
                  "name": "python314-dulwich-1.2.5-1.1.ppc64le",
                  "product_id": "python314-dulwich-1.2.5-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-dulwich-1.2.5-1.1.s390x",
                "product": {
                  "name": "python311-dulwich-1.2.5-1.1.s390x",
                  "product_id": "python311-dulwich-1.2.5-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python313-dulwich-1.2.5-1.1.s390x",
                "product": {
                  "name": "python313-dulwich-1.2.5-1.1.s390x",
                  "product_id": "python313-dulwich-1.2.5-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python314-dulwich-1.2.5-1.1.s390x",
                "product": {
                  "name": "python314-dulwich-1.2.5-1.1.s390x",
                  "product_id": "python314-dulwich-1.2.5-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-dulwich-1.2.5-1.1.x86_64",
                "product": {
                  "name": "python311-dulwich-1.2.5-1.1.x86_64",
                  "product_id": "python311-dulwich-1.2.5-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python313-dulwich-1.2.5-1.1.x86_64",
                "product": {
                  "name": "python313-dulwich-1.2.5-1.1.x86_64",
                  "product_id": "python313-dulwich-1.2.5-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python314-dulwich-1.2.5-1.1.x86_64",
                "product": {
                  "name": "python314-dulwich-1.2.5-1.1.x86_64",
                  "product_id": "python314-dulwich-1.2.5-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-dulwich-1.2.5-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.aarch64"
        },
        "product_reference": "python311-dulwich-1.2.5-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-dulwich-1.2.5-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.ppc64le"
        },
        "product_reference": "python311-dulwich-1.2.5-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-dulwich-1.2.5-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.s390x"
        },
        "product_reference": "python311-dulwich-1.2.5-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-dulwich-1.2.5-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.x86_64"
        },
        "product_reference": "python311-dulwich-1.2.5-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-dulwich-1.2.5-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.aarch64"
        },
        "product_reference": "python313-dulwich-1.2.5-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-dulwich-1.2.5-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.ppc64le"
        },
        "product_reference": "python313-dulwich-1.2.5-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-dulwich-1.2.5-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.s390x"
        },
        "product_reference": "python313-dulwich-1.2.5-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-dulwich-1.2.5-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.x86_64"
        },
        "product_reference": "python313-dulwich-1.2.5-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python314-dulwich-1.2.5-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.aarch64"
        },
        "product_reference": "python314-dulwich-1.2.5-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python314-dulwich-1.2.5-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.ppc64le"
        },
        "product_reference": "python314-dulwich-1.2.5-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python314-dulwich-1.2.5-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.s390x"
        },
        "product_reference": "python314-dulwich-1.2.5-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python314-dulwich-1.2.5-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.x86_64"
        },
        "product_reference": "python314-dulwich-1.2.5-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-42305",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-42305"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "unknown",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.aarch64",
          "openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.ppc64le",
          "openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.s390x",
          "openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.x86_64",
          "openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.aarch64",
          "openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.s390x",
          "openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.x86_64",
          "openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.aarch64",
          "openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.ppc64le",
          "openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.s390x",
          "openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-42305",
          "url": "https://www.suse.com/security/cve/CVE-2026-42305"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.aarch64",
            "openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.s390x",
            "openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.x86_64",
            "openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.aarch64",
            "openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.s390x",
            "openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.x86_64",
            "openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.aarch64",
            "openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.s390x",
            "openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-05-29T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-42305"
    },
    {
      "cve": "CVE-2026-42563",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-42563"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "unknown",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.aarch64",
          "openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.ppc64le",
          "openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.s390x",
          "openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.x86_64",
          "openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.aarch64",
          "openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.s390x",
          "openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.x86_64",
          "openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.aarch64",
          "openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.ppc64le",
          "openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.s390x",
          "openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-42563",
          "url": "https://www.suse.com/security/cve/CVE-2026-42563"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.aarch64",
            "openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.s390x",
            "openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.x86_64",
            "openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.aarch64",
            "openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.s390x",
            "openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.x86_64",
            "openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.aarch64",
            "openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.s390x",
            "openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-05-29T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-42563"
    },
    {
      "cve": "CVE-2026-47712",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-47712"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "unknown",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.aarch64",
          "openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.ppc64le",
          "openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.s390x",
          "openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.x86_64",
          "openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.aarch64",
          "openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.s390x",
          "openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.x86_64",
          "openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.aarch64",
          "openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.ppc64le",
          "openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.s390x",
          "openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-47712",
          "url": "https://www.suse.com/security/cve/CVE-2026-47712"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.aarch64",
            "openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.s390x",
            "openSUSE Tumbleweed:python311-dulwich-1.2.5-1.1.x86_64",
            "openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.aarch64",
            "openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.s390x",
            "openSUSE Tumbleweed:python313-dulwich-1.2.5-1.1.x86_64",
            "openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.aarch64",
            "openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.s390x",
            "openSUSE Tumbleweed:python314-dulwich-1.2.5-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-05-29T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-47712"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-42305 (GCVE-0-2026-42305)

FKIE_CVE-2026-42305

GHSA-897W-FCG9-F6XJ

Impact

Patches

Workarounds

Resources

OPENSUSE-SU-2026:10900-1

Tags

Sightings

Nomenclature