{"id":"CVE-2018-8099","details":"Incorrect returning of an error code in the index.c:read_entry() function leads to a double free in libgit2 before v0.26.2, which allows an attacker to cause a denial of service via a crafted repository index file.","modified":"2026-04-11T08:05:23.171145Z","published":"2018-03-14T00:29:00.657Z","related":["SUSE-SU-2018:3440-1"],"references":[{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2022/03/msg00031.html"},{"type":"FIX","url":"https://github.com/libgit2/libgit2/commit/58a6fe94cb851f71214dbefac3f9bffee437d6fe"},{"type":"FIX","url":"https://libgit2.github.com/security/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/libgit2/libgit2","events":[{"introduced":"0"},{"fixed":"dd2d5381773ca3f7bc31f56aea6fc067db5ea404"},{"fixed":"58a6fe94cb851f71214dbefac3f9bffee437d6fe"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.26.2"}]}}],"versions":["v0.1.0","v0.10.0","v0.11.0","v0.12.0","v0.13.0","v0.14.0","v0.15.0","v0.16.0","v0.17.0","v0.18.0","v0.2.0","v0.21.0","v0.22.0","v0.22.0-rc1","v0.22.0-rc2","v0.23.0","v0.23.0-rc1","v0.23.0-rc2","v0.24.0","v0.24.0-rc1","v0.26.0","v0.26.0-rc1","v0.26.0-rc2","v0.26.1","v0.27.0-rc1","v0.27.0-rc2","v0.3.0","v0.8.0"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"9.0"}]}],"vanir_signatures_modified":"2026-04-11T08:05:23Z","vanir_signatures":[{"digest":{"threshold":0.9,"line_hashes":["54434640033148516061231194138629026265","36005312606787468733691535169613857896","20406774513225240641428088838518152789","31152256589248188643522889485772072262","333018302007796322857284296544971108009","10474665604692016785909399706669282923","118852015686781280320926685007600972444","334926489830149146612760990200220186931","34578972368817921048594679401107949855","67938626018468066344711208432715017404","104549862364235433960528485759213327713","895104035598238706338726863454189642","333691659661794338377060553396893695292","225188868774070178604722169567298450289","178421009659369774024887256913739816277","164098357496020222110408314788895883612","201908675194593531614919158297368280763","88303667997138751197628739510642223009","108060129305723536833558510022955542062","155556404635052772361138247102782480973","93917638411116238411790677871894336141","89926923003986250422445763207465218698","156324533981147638834860265256208246410","221065977889216699488749717955358282063","73630240176910640457380312420342491903","150355747291049439676457778792698228849","239800797623572347964284585324405070738","36565342770416434674233130777148102467","12324359012331978738579947485860681388"]},"signature_version":"v1","target":{"file":"src/index.c"},"signature_type":"Line","id":"CVE-2018-8099-5d41732f","source":"https://github.com/libgit2/libgit2/commit/58a6fe94cb851f71214dbefac3f9bffee437d6fe","deprecated":false},{"digest":{"length":2344,"function_hash":"198063612693010879224485591649861150621"},"signature_version":"v1","target":{"function":"read_entry","file":"src/index.c"},"signature_type":"Function","id":"CVE-2018-8099-f70f94cb","source":"https://github.com/libgit2/libgit2/commit/58a6fe94cb851f71214dbefac3f9bffee437d6fe","deprecated":false}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-8099.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}