CVE-2026-44740
go-billy: Lack of depth and cycle detection in symlink resolution may lead to infinite loops and resource exhaustion
Description
Billy is an interface filesystem abstraction for Go. Prior to versions 5.9.0 and 6.0.0-alpha.1, multiple components may improperly handle crafted or malformed input, resulting in panics, infinite loops, uncontrolled recursion, or excessive resource consumption. These issues arise from insufficient validation and missing safety mechanisms such as cycle detection, recursion limits, or defensive handling of unexpected states when processing untrusted repository data and filesystem structures. This issue has been patched in versions 5.9.0 and 6.0.0-alpha.1.
How to fix CVE-2026-44740
To remediate CVE-2026-44740, upgrade the affected package to a fixed version below.
- —no fix listed
- —no fix listed
- —upgrade to 5.9.0 or later
- —upgrade to 6.0.0-alpha.1 or later
Is CVE-2026-44740 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- from 0
- from 0
- from 0, < 5.9.0
- from 0, < 6.0.0-alpha.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |