{"id":"CVE-2026-47734","summary":"Dulwich has unbounded memory allocation in receive-pack from crafted thin packs","details":"Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.1.0 and prior to version 1.2.5, a client with push access could push a tiny crafted thin pack (~174 bytes)  whose delta header declares a huge   dest_size. When dulwich ingested it via  add_thin_pack / apply_delta, it would  allocate hundreds of MB of memory based on that attacker-controlled size, with no relationship to the actual bytes received. Operators running a Dulwich-based Git server that exposes git-receive-pack (i.e. accepts pushes) - for example via dulwich.server functionality, the HTTP  smart server, or anything built on ReceivePackHandler - are impacted. The issue is patched in 1.2.5. add_thin_pack now accepts a max_input_size keyword (bytes; 0/None = unlimited, matching git's semantics), and ReceivePackHandler reads receive.maxInputSize from the repository config and passes it through. Wire reads are counted and a PackInputTooLarge exception is raised once the cap is exceeded - equivalent to git index-pack --max-input-size. Users should upgrade to Dulwich 1.2.5 or later and set receive.maxInputSize in their server's repository config to a sane bound for their environment. On unpatched versions, receive.maxInputSize has no effect, so it cannot be used as a workaround. Until upgrading, operators should restrict dulwich-receive-pack (push) access to trusted, authenticated clients only, or disable it entirely on servers that only need to serve fetches and/or run the server under an OS-level memory limit (e.g. ulimit, cgroups/MemoryMax, or a container memory limit) so a malicious push is killed rather than taking down the host.","aliases":["GHSA-xrvj-v92f-53gj"],"modified":"2026-07-08T08:05:19.213877964Z","published":"2026-06-10T22:11:02.704Z","database_specific":{"cwe_ids":["CWE-400","CWE-789"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/47xxx/CVE-2026-47734.json"},"references":[{"type":"WEB","url":"https://github.com/jelmer/dulwich/releases/tag/dulwich-1.2.5"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/47xxx/CVE-2026-47734.json"},{"type":"ADVISORY","url":"https://github.com/jelmer/dulwich/security/advisories/GHSA-xrvj-v92f-53gj"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-47734"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jelmer/dulwich","events":[{"introduced":"bd0bc8c85b439d0824363c12701fccb992b203dd"},{"fixed":"073f4dfa9840af2da59887ed828b026b609faa6c"}],"database_specific":{"source":["AFFECTED_FIELD","REFERENCES"],"extracted_events":[{"introduced":"0.1.0"},{"fixed":"1.2.5"}]}}],"versions":["dulwich-1.2.4","dulwich-1.2.3","dulwich-1.2.2","dulwich-1.2.1","dulwich-1.2.0","dulwich-1.1.0","dulwich-1.0.0","dulwich-0.25.2","dulwich-0.25.1","dulwich-0.25.0","dulwich-0.24.8","dulwich-0.24.7","dulwich-0.24.6","dulwich-0.24.5","dulwich-0.24.2","dulwich-0.24.1","dulwich-0.24.0","dulwich-0.23.2","dulwich-0.23.1","dulwich-0.22.8","dulwich-0.22.7","dulwich-0.22.6","dulwich-0.22.5","dulwich-0.22.4","dulwich-0.22.3","dulwich-0.22.2","dulwich-0.22.1","dulwich-0.22.0","dulwich-0.21.7","dulwich-0.21.6","dulwich-0.21.5","dulwich-0.21.4.1","dulwich-0.21.3","dulwich-0.21.2","dulwich-0.21.1","dulwich-0.21.0","dulwich-0.20.50","dulwich-0.20.44","dulwich-0.20.43","dulwich-0.20.42","dulwich-0.20.41","dulwich-0.20.40","dulwich-0.20.39","dulwich-0.20.38","dulwich-0.20.37","dulwich-0.20.36","dulwich-0.20.35","dulwich-0.20.34","dulwich-0.20.33","dulwich-0.20.32","dulwich-0.20.25","dulwich-0.20.30","dulwich-0.20.29","dulwich-0.20.28","dulwich-0.20.27","dulwich-0.20.26","dulwich-0.20.24","dulwich-0.20.23","dulwich-0.20.22","dulwich-0.20.21","dulwich-0.20.20","dulwich-0.20.19","dulwich-0.20.18","dulwich-0.20.17","dulwich-0.20.15","dulwich-0.20.14","dulwich-0.20.13","dulwich-0.20.12","dulwich-0.20.11","dulwich-0.20.9","dulwich-0.20.8","dulwich-0.20.7","dulwich-0.20.6","dulwich-0.20.5","dulwich-0.20.4","dulwich-0.20.3","dulwich-0.20.2","dulwich-0.20.1","dulwich-0.20.0","dulwich-0.19.16","dulwich-0.19.15","dulwich-0.19.14","dulwich-0.19.13","dulwich-0.19.12","dulwich-0.19.11","dulwich-0.19.10","dulwich-0.19.9","dulwich-0.19.8","dulwich-0.19.7","dulwich-0.19.6","dulwich-0.19.5","dulwich-0.19.4","dulwich-0.19.3","dulwich-0.19.2-2","dulwich-0.19.2-1","dulwich-0.19.2","dulwich-0.19.1","dulwich-0.19.0","dulwich-0.18.6","dulwich-0.18.5","dulwich-0.18.4","dulwich-0.18.3","dulwich-0.18.2","dulwich-0.18.1","dulwich-0.18.0","dulwich-0.17.3","dulwich-0.17.2","dulwich-0.17.1","dulwich-0.17.0","dulwich-0.16.3","dulwich-0.16.2","dulwich-0.16.1","dulwich-0.16.0","dulwich-0.15.0","dulwich-0.14.1","dulwich-0.14.0","dulwich-0.13.0","dulwich-0.12.0","dulwich-0.11.1","dulwich-0.11.0","dulwich-0.10.1","dulwich-0.10.0","dulwich-0.9.8","dulwich-0.9.7","dulwich-0.9.6","dulwich-0.9.5","dulwich-0.9.4","dulwich-0.9.3","dulwich-0.9.2","dulwich-0.9.1","dulwich-0.9.0","dulwich-0.8.7","dulwich-0.8.6","dulwich-0.8.5","dulwich-0.8.4","dulwich-0.8.3","dulwich-0.8.2","dulwich-0.8.1","dulwich-0.8.0","dulwich-0.7.1","dulwich-0.7.0","dulwich-0.6.2","dulwich-0.6.1","dulwich-0.6.0","dulwich-0.5.0","dulwich-0.4.1","dulwich-0.4.0","dulwich-0.3.3","dulwich-0.3.2","dulwich-0.3.1","dulwich-0.3.0","dulwich-0.2.1","dulwich-0.2.0","dulwich-0.1.1","dulwich-0.1.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-47734.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H"}]}