How is CVE-2026-42305 exploited?

Network reachability (required): The malicious repository is served over a network-accessible Git endpoint; the victim's Dulwich client must be able to reach it to trigger the path traversal during clone, fetch, or checkout. Authentication (not-required): No account or credentials are needed; any unauthenticated Git repository the victim is persuaded to clone is sufficient to deliver the malicious tree. Victim interaction (required): A user on Windows must actively clone, fetch, or check out the attacker-controlled repository, making this a social-engineering scenario where the victim is directed to a hostile Git URL. Attack complexity (info): Exploit reliability is high and condition-free once the victim interacts: the NTFS-hostile filename bytes are processed deterministically by Dulwich's broken validator with no race condition or memory-layout dependency required.

What is the impact of CVE-2026-42305?

An attacker writes arbitrary files to any path the running process can reach on the victim's Windows filesystem, including startup folders, shell init scripts, or application config directories. Arbitrary file placement at attacker-chosen locations enables remote code execution in the context of the user running Dulwich, giving the attacker full control of that user session. Confidential files accessible to the victim user (source code, credentials, tokens stored on disk) are at risk of being overwritten or shadowed by attacker-supplied content. A POSIX user who clones and re-publishes an affected repository can unknowingly act as a relay, propagating the malicious tree to any Windows consumer who later fetches from that mirror.

Back to search

HIGHCVE-2026-42305Published 2026-06-10Modified 2026-06-12CNA GitHub_M

CVE-2026-42305: Dulwich has an arbitrary file write via NTFS-hostile tree entries on Windows

Dulwich is a pure-Python implementation of the Git file formats and protocols. Versions starting with 0.10.0 and prior to 1.2.5 have an arbitrary file write leading to remote code execution when cloning or checking out a malicious Git repository on Windows. Dulwich's path-element validator accepted tree entries whose filenames contained bytes that Windows interprets as structural path syntax. Contributing configuration bugs made matters worse. The core.protectNTFS and core.protectHFS settings were looked up under a wrong option name and so user-set values were silently ignored, and core.protectNTFS only defaulted to true on Windows (Git upstream has defaulted it to true everywhere since CVE-2019-1353). Both have been corrected. Anyone who clones, fetches, or checks out an untrusted repository with Dulwich on Windows - either through the Dulwich CLI, porcelain.clone, or any downstream tool built on Dulwich - is impacted. POSIX clones are not directly exploitable (on POSIX \ is a literal filename byte), but a POSIX user can unknowingly propagate a malicious tree to Windows consumers via push or re-publication. This issue is fixed in Dulwich 1.2.5. Users should upgrade to 1.2.5 or later. There is no effective pre-patch workaround. On affected versions the core.protectNTFS configuration key was silently ignored, so setting it to true does not mitigate the issue. Users who cannot upgrade should avoid cloning, fetching, or checking out untrusted repositories with Dulwich on Windows. After upgrading the NTFS validator is on by default on every platform, so no additional configuration is required.

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An arbitrary file write vulnerability exists in Dulwich, a pure-Python Git implementation, affecting versions 0.10.0 through 1.2.5. The flaw is reachable over the network without authentication, but requires a victim to clone or check out a malicious repository; on Windows, specially crafted tree entries containing NTFS-hostile filename bytes are written outside the intended working directory, leading to remote code execution. No fix version has been published yet; HarborGuard is tracking the advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in registries and CI pipelines, including custom-built images that bundle Dulwich as a dependency.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 8.8 (HIGH) and weighting it against each environment's compliance policy, then routing it to the appropriate team inbox within each customer organization.

Available

Patch

Because no upstream fix has been published, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Dulwich 1.2.5 or a later fixed release appears upstream. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix version is available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The malicious repository is served over a network-accessible Git endpoint; the victim's Dulwich client must be able to reach it to trigger the path traversal during clone, fetch, or checkout.
AuthenticationNot required
No account or credentials are needed; any unauthenticated Git repository the victim is persuaded to clone is sufficient to deliver the malicious tree.
Victim interactionRequired
A user on Windows must actively clone, fetch, or check out the attacker-controlled repository, making this a social-engineering scenario where the victim is directed to a hostile Git URL.
Attack complexityDetail
Exploit reliability is high and condition-free once the victim interacts: the NTFS-hostile filename bytes are processed deterministically by Dulwich's broken validator with no race condition or memory-layout dependency required.

Blast Radius

An attacker writes arbitrary files to any path the running process can reach on the victim's Windows filesystem, including startup folders, shell init scripts, or application config directories.
Arbitrary file placement at attacker-chosen locations enables remote code execution in the context of the user running Dulwich, giving the attacker full control of that user session.
Confidential files accessible to the victim user (source code, credentials, tokens stored on disk) are at risk of being overwritten or shadowed by attacker-supplied content.
A POSIX user who clones and re-publishes an affected repository can unknowingly act as a relay, propagating the malicious tree to any Windows consumer who later fetches from that mirror.

How HarborGuard Handles This

Available on HarborGuard: since no upstream fix has been published for this CVE, HarborGuard continuously re-evaluates the advisory on every ingest cycle and will trigger a patched-image rebuild the moment Dulwich 1.2.5 or a later fixed release appears in the upstream feed. For customers with auto-remediation enabled, that rebuild will be followed automatically by a regression test run and a PR opened against affected workloads, with no manual steps required. In the interim, compensating controls worth considering include network-policy isolation that restricts which Git endpoints Dulwich-based workloads can reach, egress filtering to block outbound connections to untrusted Git hosts, and feature-flag or pipeline-gate controls that prevent untrusted repository sources from being passed to Dulwich on Windows hosts. Note that setting core.protectNTFS in Dulwich configuration on affected versions provides no protection because the option name lookup bug causes the value to be silently ignored; the only reliable mitigation is to avoid cloning or checking out untrusted repositories until the upgrade is applied.

See how HarborGuard automates this

Affected packages

jelmer / dulwich
>= 0.10.0, < 1.2.5

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified